Skip to content
SAST

ci(deps-dev): bump prek from 0.3.4 to 0.3.5 in /.github/tools in the python-workflow-tools group #70

Sign in to view logs

ci(deps-dev): bump prek from 0.3.4 to 0.3.5 in /.github/tools in the python-workflow-tools group

ci(deps-dev): bump prek from 0.3.4 to 0.3.5 in /.github/tools in the python-workflow-tools group #70

Workflow file for this run

.github/workflows/sast.yml at 20ec84c
name: SAST
on:
push:
branches:
- 'main'
pull_request:
schedule:
- cron: '32 3 * * 1'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
codeql:
name: Analyze (CodeQL)
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
security-events: write # Required to upload CodeQL SARIF results to GitHub code scanning.
actions: read # Required so CodeQL actions can access workflow/action metadata.
steps:
- name: Harden Runner
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
release-assets.githubusercontent.com:443
repo.maven.apache.org:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
languages: java-kotlin,actions
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
opengrep:
name: Analyze (Opengrep)
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
security-events: write # Required to upload SARIF results to GitHub code scanning.
actions: read # Required so the upload-sarif action can access workflow metadata.
steps:
- name: Harden Runner
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
semgrep.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
opengrep="$(jq -r '.opengrep' .github/tools/versions.json)"
echo "opengrep=${opengrep}" >> "$GITHUB_OUTPUT"
- name: Install Cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Download Opengrep
env:
OPENGREP_VERSION: ${{ steps.versions.outputs.opengrep }}
run: |
base="https://github.com/opengrep/opengrep/releases/download/${OPENGREP_VERSION}/opengrep_manylinux_x86"
curl -fsSL "${base}" -o opengrep
curl -fsSL "${base}.cert" -o opengrep.cert
curl -fsSL "${base}.sig" -o opengrep.sig
chmod +x opengrep
- name: Verify Opengrep signature
run: |
cosign verify-blob opengrep \
--certificate opengrep.cert \
--signature opengrep.sig \
--certificate-identity-regexp='https://github.com/opengrep/opengrep/' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
- name: Run Opengrep scan
run: |
./opengrep scan \
--config p/java \
--config p/owasp-top-ten \
--sarif-output opengrep.sarif \
.
- name: Upload results to GitHub Code Scanning
if: always()
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: opengrep.sarif
category: opengrep