From 7e94257ba5f0e7df0f086684fb5286c2d01e2c3c Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 01:33:44 -0400 Subject: [PATCH 1/7] checkov action --- .github/workflows/checkov.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/checkov.yaml diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 00000000..861f2ec2 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,27 @@ +on: + push: + branches: [ "main", "james/checkov" ] + workflow_dispatch: +jobs: + checkov-job: + runs-on: ubuntu-latest + name: checkov-action + steps: + - name: Checkout repo + uses: actions/checkout@master + + - name: Run Checkov action + id: checkov + uses: bridgecrewio/checkov-action@0549dc60bddd4c55cb85c6c3a07072e3cf2ca48e + with: + skip_check: CKV_DOCKER_2,CKV_DOCKER_3 + quiet: true + output_format: cli,sarif + output_file_path: console,results.sarif + download_external_modules: true + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + if: success() || failure() + with: + sarif_file: results.sarif From 6f11cb4cdd6be8b47d920982cd236c92c3544934 Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 01:36:14 -0400 Subject: [PATCH 2/7] perms --- .github/workflows/checkov.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index 861f2ec2..98eba567 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -4,6 +4,10 @@ on: workflow_dispatch: jobs: checkov-job: + permissions: + contents: read + security-events: write + actions: read runs-on: ubuntu-latest name: checkov-action steps: From d65ff2acfd2833a82a352248cbe95968bb02b5da Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 01:48:47 -0400 Subject: [PATCH 3/7] perms --- .github/workflows/checkov.yaml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index 98eba567..e5ed164a 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -5,9 +5,18 @@ on: jobs: checkov-job: permissions: + actions: read + checks: none contents: read + deployments: none + discussions: none + id-token: none + issues: none + packages: none + pages: none + repository-projects: none security-events: write - actions: read + statuses: none runs-on: ubuntu-latest name: checkov-action steps: From b805aebd0323151af7ea1305a03da3e3e987ce76 Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 01:54:20 -0400 Subject: [PATCH 4/7] perms --- .github/workflows/checkov.yaml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index e5ed164a..f4ffd807 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -2,19 +2,12 @@ on: push: branches: [ "main", "james/checkov" ] workflow_dispatch: +permissions: read-all jobs: checkov-job: permissions: actions: read - checks: none contents: read - deployments: none - discussions: none - id-token: none - issues: none - packages: none - pages: none - repository-projects: none security-events: write statuses: none runs-on: ubuntu-latest From 7bb8137ddbc268cc5b4bf70cc19881a2208ac51c Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 01:57:53 -0400 Subject: [PATCH 5/7] perms --- .github/workflows/checkov.yaml | 4 ++++ .github/workflows/main.yaml | 2 ++ .github/workflows/no_debug_allowed.yaml | 2 ++ .github/workflows/no_forgoten_migrations.yaml | 2 ++ .github/workflows/publish-and-deploy.yaml | 2 ++ .github/workflows/run_django_tests.yaml | 2 ++ 6 files changed, 14 insertions(+) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index f4ffd807..7e42e9d4 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -1,8 +1,12 @@ +name: Checkov + on: push: branches: [ "main", "james/checkov" ] workflow_dispatch: + permissions: read-all + jobs: checkov-job: permissions: diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 22dc13df..a0dd2cf2 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -2,6 +2,8 @@ name: Lint on: [pull_request] +permissions: read-all + jobs: black: runs-on: ubuntu-latest diff --git a/.github/workflows/no_debug_allowed.yaml b/.github/workflows/no_debug_allowed.yaml index 90ce5f7e..cabe9d08 100644 --- a/.github/workflows/no_debug_allowed.yaml +++ b/.github/workflows/no_debug_allowed.yaml @@ -2,6 +2,8 @@ name: Make sure Debug mode is OFF! on: [pull_request] +permissions: read-all + jobs: is-debug-off: runs-on: ubuntu-latest diff --git a/.github/workflows/no_forgoten_migrations.yaml b/.github/workflows/no_forgoten_migrations.yaml index 7d68c1f3..31a58f6d 100644 --- a/.github/workflows/no_forgoten_migrations.yaml +++ b/.github/workflows/no_forgoten_migrations.yaml @@ -2,6 +2,8 @@ name: Make sure to run manage.py makemigrations if you change models on: [pull_request] +permissions: read-all + jobs: is-migration-diff-clean: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-and-deploy.yaml b/.github/workflows/publish-and-deploy.yaml index 6f6621a8..4901cee1 100644 --- a/.github/workflows/publish-and-deploy.yaml +++ b/.github/workflows/publish-and-deploy.yaml @@ -5,6 +5,8 @@ on: push: branches: [ main ] +permissions: read-all + jobs: push_to_registry: name: Push Docker Image to Docker Hub diff --git a/.github/workflows/run_django_tests.yaml b/.github/workflows/run_django_tests.yaml index 0d13b969..949cc149 100644 --- a/.github/workflows/run_django_tests.yaml +++ b/.github/workflows/run_django_tests.yaml @@ -3,6 +3,8 @@ name: Run Django Tests on: pull_request: +permissions: read-all + jobs: run-django-tests: runs-on: ubuntu-latest From f502077c719ff2928ab0b35cde04d5e600d40ea1 Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 02:02:10 -0400 Subject: [PATCH 6/7] update --- .github/workflows/checkov.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index 7e42e9d4..d3b7c731 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -31,7 +31,7 @@ jobs: download_external_modules: true - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: success() || failure() with: sarif_file: results.sarif From 683c43f74ec0cb9d69c76b47789f385e44641df6 Mon Sep 17 00:00:00 2001 From: James Otten Date: Sat, 20 Apr 2024 02:06:52 -0400 Subject: [PATCH 7/7] cleanup --- .github/workflows/checkov.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml index d3b7c731..7b66543e 100644 --- a/.github/workflows/checkov.yaml +++ b/.github/workflows/checkov.yaml @@ -2,7 +2,7 @@ name: Checkov on: push: - branches: [ "main", "james/checkov" ] + branches: [ "main" ] workflow_dispatch: permissions: read-all