sast

sast #418

Summary
Jobs
- ossf
- osv
- snyk
- codeql
Run details
- Usage
- Workflow file

Workflow file for this run

	---
	name: "sast"

	on:
	pull_request:
	branches:
	- "main"
	push:
	branches:
	- "main"
	schedule:
	- cron: "19 19 * * 4"

	permissions: "read-all"

	jobs:
	ossf:
	runs-on: "ubuntu-latest"
	# ossf scorecard only supported on main branch
	if: github.event_name != 'pull_request'
	permissions:
	security-events: "write"
	id-token: "write"
	contents: "read"
	actions: "read"
	steps:
	- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
	with:
	persist-credentials: false
	- uses: "ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736"
	with:
	results_file: "results.sarif"
	results_format: "sarif"
	publish_results: true
	- uses: "actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32"
	with:
	name: "SARIF file"
	path: "results.sarif"
	retention-days: 5
	- uses: "github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75"
	with:
	sarif_file: "results.sarif"

	osv:
	permissions:
	contents: "read"
	runs-on: "ubuntu-latest"
	steps:
	- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
	- uses: "actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe"
	with:
	go-version: "stable"
	- run: \|
	curl -o /usr/local/bin/osv-scanner https://github.com/google/osv-scanner/releases/download/v1.4.3/osv-scanner_1.4.3_linux_amd64 \
	&& chmod +x /usr/local/bin/osv-scanner \
	&& /usr/local/bin/osv-scanner -version
	- run: "make sast_osv"

	snyk:
	permissions:
	contents: "read"
	security-events: "write"
	runs-on: "ubuntu-latest"
	steps:
	- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
	- uses: "pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598"
	with:
	version: "latest"
	- uses: "actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65"
	with:
	node-version-file: ".nvmrc"
	cache: "pnpm"
	- uses: "snyk/actions/setup@b98d498629f1c368650224d6d212bf7dfa89e4bf"
	- run: "make install"
	- run: "snyk test --all-projects --detection-depth=1 --sarif-file-output=snyk.sarif"
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	- uses: "github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75"
	with:
	sarif_file: "snyk.sarif"

	codeql:
	runs-on: "ubuntu-latest"

	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- uses: "actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11"
	- uses: "github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75"
	with:
	languages: "typescript"
	- uses: "pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598"
	with:
	version: "latest"
	- uses: "actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65"
	with:
	node-version-file: ".nvmrc"
	cache: "pnpm"
	- run: "make install"
	- uses: "github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

sast #418

Workflow file

sast #418

Jobs

Run details

Workflow file for this run