diff --git a/.github/workflows/actions-linter.yaml b/.github/workflows/actions-linter.yaml index b6c401e..0caa537 100644 --- a/.github/workflows/actions-linter.yaml +++ b/.github/workflows/actions-linter.yaml @@ -9,12 +9,15 @@ jobs: permissions: pull-requests: write contents: read + steps: - name: clone application source code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: install package using aqua uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 with: aqua_version: v2.29.0 + - name: run ghalint run: github-comment exec --token ${{ secrets.token }} -- ghalint run diff --git a/.github/workflows/react-dependency-check.yaml b/.github/workflows/react-dependency-check.yaml index 9657c59..e801f9a 100644 --- a/.github/workflows/react-dependency-check.yaml +++ b/.github/workflows/react-dependency-check.yaml @@ -9,9 +9,11 @@ on: schedule: # 日曜日の午前0時に実行 - cron: '0 0 * * 0' +defaults: + run: + shell: bash jobs: - trivy-scan: runs-on: ubuntu-latest permissions: @@ -20,7 +22,7 @@ jobs: steps: - name: clone application source code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: use trivy uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 @@ -33,11 +35,13 @@ jobs: format: 'sarif' output: 'sca-report.sarif' severity: 'CRITICAL,HIGH' + - name: save report as pipeline artifact uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: sca-report.sarif path: sca-report.sarif + - name: publish trivy alerts uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10 with: diff --git a/.github/workflows/react-jest.yaml b/.github/workflows/react-jest.yaml index 41609bc..70fbc55 100644 --- a/.github/workflows/react-jest.yaml +++ b/.github/workflows/react-jest.yaml @@ -6,7 +6,6 @@ on: - "src/**.ts" - "public/**.html" - ".github/workflows/react-jest.yaml" - defaults: run: shell: bash @@ -21,17 +20,16 @@ jobs: run: working-directory: /home/runner/work/devsecops-demo-aws-ecs/devsecops-demo-aws-ecs + steps: # checkout repository to runner - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: set up node20 uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 with: node-version: '20' - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: install package using aqua uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 with: diff --git a/.github/workflows/react-semgrep.yaml b/.github/workflows/react-semgrep.yaml index 48deebb..f4b95c3 100644 --- a/.github/workflows/react-semgrep.yaml +++ b/.github/workflows/react-semgrep.yaml @@ -11,9 +11,11 @@ on: schedule: # 日曜日の午前0時に実行 - cron: '0 0 * * 0' +defaults: + run: + shell: bash jobs: - semgrep-full: runs-on: ubuntu-latest permissions: @@ -24,7 +26,7 @@ jobs: steps: - name: clone application source code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: install package using aqua uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 with: @@ -42,6 +44,7 @@ jobs: name: report.sarif path: report.sarif # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。 + # - name: publish code scanning alerts uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10 with: