From c5ec7b393d04b35e45fa746daa739df7cc3d987e Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Fri, 16 Aug 2024 18:56:31 +0200 Subject: [PATCH 1/4] Update Actions --- .github/workflows/scan.yml | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 4f07629..7251ccc 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -38,7 +38,7 @@ jobs: with: args: -fmt sarif -out gosec.sarif -stdout -verbose=text ./... - name: upload results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 # run this even when the gosec task fails (otherwise we wouldn't get a result) if: success() || failure() # but ignore errors in case GH security upload isn't available @@ -75,7 +75,7 @@ jobs: format: lovely,sarif additional_args: --out results - name: upload results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: success() || failure() continue-on-error: true with: @@ -88,7 +88,7 @@ jobs: with: persist-credentials: false sparse-checkout: python/ - - uses: actions/setup-python@v4 + - uses: actions/setup-python@v5 with: python-version: '3.11' # We're not using the official action because Bandit doesn't include the SARIF formatter by default. @@ -105,12 +105,12 @@ jobs: run: | bandit --recursive --format screen python/ - name: upload results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: success() || failure() continue-on-error: true with: sarif_file: results.sarif - chekov-terraform: + checkov-terraform: runs-on: ubuntu-latest steps: - name: checkout repo @@ -125,12 +125,12 @@ jobs: output_format: cli,sarif output_file_path: console,results.sarif - name: upload results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: success() || failure() continue-on-error: true with: sarif_file: results.sarif - chekov-bicep: + checkov-bicep: runs-on: ubuntu-latest steps: - name: checkout repo @@ -145,7 +145,7 @@ jobs: output_format: cli,sarif output_file_path: console,results.sarif - name: upload results - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: success() || failure() continue-on-error: true with: @@ -161,14 +161,14 @@ jobs: persist-credentials: false sparse-checkout: go/ - name: codeql init - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: go - name: codeql autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 - name: codeql analysis id: analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:go" - name: print results @@ -184,14 +184,14 @@ jobs: persist-credentials: false sparse-checkout: python/ - name: codeql init - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: python - name: codeql autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 - name: codeql analysis id: analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 with: category: "/language:python" - name: print results @@ -206,7 +206,7 @@ jobs: with: persist-credentials: false sparse-checkout: python/ - - uses: pypa/gh-action-pip-audit@v1.0.0 + - uses: pypa/gh-action-pip-audit@v1.1.0 with: inputs: requirements.txt # SARIF reports aren't supported by pip-audit yet: From 78aa0dd04656dcd9a5ed3856d5b8ba871c9b71a3 Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Fri, 16 Aug 2024 19:05:21 +0200 Subject: [PATCH 2/4] Update to more recent Go --- .github/workflows/scan.yml | 2 +- go.mod | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 7251ccc..80492d4 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -56,7 +56,7 @@ jobs: - name: run govulncheck uses: golang/govulncheck-action@v1 with: - go-version-input: 1.19.0 + go-version-input: 1.20 go-package: ./... # this action doesn't produce a SARIF report yet, so there's nothing to upload. # See: https://github.com/golang/go/issues/61347 diff --git a/go.mod b/go.mod index 566066b..23f94e7 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,5 @@ module github.com/swisstxt/secscan-demo -go 1.19 +go 1.20 require golang.org/x/net v0.12.0 From f6f3e54b7797179da0e329c530c4274cc6c09ee2 Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Fri, 16 Aug 2024 19:07:48 +0200 Subject: [PATCH 3/4] YAML foo --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 80492d4..caa0aea 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -56,7 +56,7 @@ jobs: - name: run govulncheck uses: golang/govulncheck-action@v1 with: - go-version-input: 1.20 + go-version-input: "1.20" go-package: ./... # this action doesn't produce a SARIF report yet, so there's nothing to upload. # See: https://github.com/golang/go/issues/61347 From 247e837adc05ac6149f85ffb5607663dbf529488 Mon Sep 17 00:00:00 2001 From: Gregor Riepl Date: Fri, 16 Aug 2024 19:11:21 +0200 Subject: [PATCH 4/4] govulncheck requires Go 1.21 now --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index caa0aea..e41a74b 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -56,7 +56,7 @@ jobs: - name: run govulncheck uses: golang/govulncheck-action@v1 with: - go-version-input: "1.20" + go-version-input: "1.21" go-package: ./... # this action doesn't produce a SARIF report yet, so there's nothing to upload. # See: https://github.com/golang/go/issues/61347