From d615a65d4bc637ccae56c6b8dcda58332be84184 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:52:49 +0530 Subject: [PATCH 01/17] sca-scan.yml --- .github/workflows/sca-scan.yml | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml index 1f9aa651..6cde2588 100644 --- a/.github/workflows/sca-scan.yml +++ b/.github/workflows/sca-scan.yml @@ -7,18 +7,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - - name: Setup local.properties - run: | - cat << EOF >> local.properties - sdk.dir=$ANDROID_HOME - host="${{ secrets.HOST }}" - APIKey="${{ secrets.API_KEY }}" - deliveryToken="${{ secrets.DELIVERY_TOKEN }}" - environment="${{ secrets.ENVIRONMENT }}" - contentType="${{ secrets.CONTENT_TYPE }}" - assetUid="${{ secrets.ASSET_UID }}" - EOF - - uses: snyk/actions/setup@master - - run: snyk test --fail-on=all + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --fail-on=all --all-sub-projects \ No newline at end of file From 42d317f4e65f30c49cd8a5480b167c8ff387a67f Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:01 +0530 Subject: [PATCH 02/17] jira.yml --- .github/workflows/jira.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml index caa4bbdf..250abc76 100644 --- a/.github/workflows/jira.yml +++ b/.github/workflows/jira.yml @@ -21,7 +21,7 @@ jobs: project: ${{ secrets.JIRA_PROJECT }} issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} summary: | - ${{ github.event.pull_request.title }} + Snyk | Vulnerability | ${{ github.event.repository.name }} | ${{ github.event.pull_request.title }} description: | PR: ${{ github.event.pull_request.html_url }} From 9804fac9f8f9c26d6eba9c9b788e3c6cc1943b91 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:02 +0530 Subject: [PATCH 03/17] sast-scan.yml From 1addc7555325e60adb83479d17f8a332cca8b2f1 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:04 +0530 Subject: [PATCH 04/17] codeql-analysis.yml From 16028c67c50bb1555cb91135c8c71d415562ac3a Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 20 Jan 2025 11:53:09 +0530 Subject: [PATCH 05/17] Updated codeowners --- CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CODEOWNERS b/CODEOWNERS index 07739234..1be7e0dc 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1 +1 @@ -* @contentstack/security-admin \ No newline at end of file +* @contentstack/security-admin From b418bd48f1d5fbe03233a625a194619eac503306 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:02 +0530 Subject: [PATCH 06/17] policy-scan.yml --- .github/workflows/policy-scan.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/policy-scan.yml diff --git a/.github/workflows/policy-scan.yml b/.github/workflows/policy-scan.yml new file mode 100644 index 00000000..13bd3623 --- /dev/null +++ b/.github/workflows/policy-scan.yml @@ -0,0 +1,27 @@ +name: Checks the security policy and configurations +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-policy: + if: github.event.repository.visibility == 'public' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@master + - name: Checks for SECURITY.md policy file + run: | + if ! [[ -f "SECURITY.md" || -f ".github/SECURITY.md" ]]; then exit 1; fi + security-license: + if: github.event.repository.visibility == 'public' + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - uses: actions/checkout@master + - name: Checks for License file + run: | + if ! [[ -f "LICENSE" || -f "License.txt" || -f "LICENSE.md" ]]; then exit 1; fi \ No newline at end of file From 22acc2d111b57ddc109acce4f248455358308279 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:12 +0530 Subject: [PATCH 07/17] issues-jira.yml --- .github/workflows/issues-jira.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 .github/workflows/issues-jira.yml diff --git a/.github/workflows/issues-jira.yml b/.github/workflows/issues-jira.yml new file mode 100644 index 00000000..7bf04694 --- /dev/null +++ b/.github/workflows/issues-jira.yml @@ -0,0 +1,31 @@ +name: Create Jira Ticket for Github Issue + +on: + issues: + types: [opened] + +jobs: + issue-jira: + runs-on: ubuntu-latest + steps: + + - name: Login to Jira + uses: atlassian/gajira-login@master + env: + JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} + JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} + JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} + + - name: Create Jira Issue + id: create_jira + uses: atlassian/gajira-create@master + with: + project: ${{ secrets.JIRA_PROJECT }} + issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} + summary: Github | Issue | ${{ github.event.repository.name }} | ${{ github.event.issue.title }} + description: | + *GitHub Issue:* ${{ github.event.issue.html_url }} + + *Description:* + ${{ github.event.issue.body }} + fields: "${{ secrets.ISSUES_JIRA_FIELDS }}" \ No newline at end of file From 95101854929f15159a30bfe29cb3b0d9100fe4b2 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:13 +0530 Subject: [PATCH 08/17] Delete jira.yml --- .github/workflows/jira.yml | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 .github/workflows/jira.yml diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml deleted file mode 100644 index 250abc76..00000000 --- a/.github/workflows/jira.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Create JIRA ISSUE -on: - pull_request: - types: [opened] -jobs: - security-jira: - if: ${{ github.actor == 'dependabot[bot]' || github.actor == 'snyk-bot' || contains(github.event.pull_request.head.ref, 'snyk-fix-') || contains(github.event.pull_request.head.ref, 'snyk-upgrade-')}} - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Login into JIRA - uses: atlassian/gajira-login@master - env: - JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} - JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} - JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }} - - name: Create a JIRA Issue - id: create - uses: atlassian/gajira-create@master - with: - project: ${{ secrets.JIRA_PROJECT }} - issuetype: ${{ secrets.JIRA_ISSUE_TYPE }} - summary: | - Snyk | Vulnerability | ${{ github.event.repository.name }} | ${{ github.event.pull_request.title }} - description: | - PR: ${{ github.event.pull_request.html_url }} - - fields: "${{ secrets.JIRA_FIELDS }}" - - name: Transition issue - uses: atlassian/gajira-transition@v3 - with: - issue: ${{ steps.create.outputs.issue }} - transition: ${{ secrets.JIRA_TRANSITION }} From 3e309cea564abe49346f6a4d8ef01105b7ab43d5 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:13 +0530 Subject: [PATCH 09/17] Delete sast-scan.yml --- .github/workflows/sast-scan.yml | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 .github/workflows/sast-scan.yml diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml deleted file mode 100644 index 3b9521a5..00000000 --- a/.github/workflows/sast-scan.yml +++ /dev/null @@ -1,11 +0,0 @@ -name: SAST Scan -on: - pull_request: - types: [opened, synchronize, reopened] -jobs: - security-sast: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Semgrep Scan - run: docker run -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" returntocorp/semgrep semgrep scan --config auto \ No newline at end of file From 3a053dda72d8f8b76d9563f049c49fde95082c9a Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:15 +0530 Subject: [PATCH 10/17] codeql-analysis.yml From 3287e343c867dfe745aa80c4ed0b01218f021f80 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 16 Apr 2025 10:22:19 +0530 Subject: [PATCH 11/17] Updated codeowners From 6644fe2f75442da3adca9ecfedc15281a304fa34 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Wed, 23 Apr 2025 21:32:32 +0530 Subject: [PATCH 12/17] policy-scan.yml --- .github/workflows/policy-scan.yml | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/.github/workflows/policy-scan.yml b/.github/workflows/policy-scan.yml index 13bd3623..ff259231 100644 --- a/.github/workflows/policy-scan.yml +++ b/.github/workflows/policy-scan.yml @@ -24,4 +24,23 @@ jobs: - uses: actions/checkout@master - name: Checks for License file run: | - if ! [[ -f "LICENSE" || -f "License.txt" || -f "LICENSE.md" ]]; then exit 1; fi \ No newline at end of file + expected_license_files=("LICENSE" "LICENSE.txt" "LICENSE.md" "License.txt") + license_file_found=false + current_year=$(date +"%Y") + + for license_file in "${expected_license_files[@]}"; do + if [ -f "$license_file" ]; then + license_file_found=true + # check the license file for the current year, if not exists, exit with error + if ! grep -q "$current_year" "$license_file"; then + echo "License file $license_file does not contain the current year." + exit 2 + fi + break + fi + done + + if [ "$license_file_found" = false ]; then + echo "No license file found. Please add a license file to the repository." + exit 1 + fi \ No newline at end of file From a1331c057e768c7dae22d383044c4c0565715925 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:23 +0530 Subject: [PATCH 13/17] policy-scan.yml From 685cec4a0bf77778b9b942c516530f20b09c925d Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:30 +0530 Subject: [PATCH 14/17] issues-jira.yml From f2396cfe280992b656a5346868e6eeda02fc8311 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:31 +0530 Subject: [PATCH 15/17] secrets-scan.yml --- .github/workflows/secrets-scan.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/secrets-scan.yml diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 00000000..049c02f4 --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,29 @@ +name: Secrets Scan +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: '2' + ref: '${{ github.event.pull_request.head.ref }}' + - run: | + git reset --soft HEAD~1 + - name: Install Talisman + run: | + # Download Talisman + wget https://github.com/thoughtworks/talisman/releases/download/v1.37.0/talisman_linux_amd64 -O talisman + + # Checksum verification + checksum=$(sha256sum ./talisman | awk '{print $1}') + if [ "$checksum" != "8e0ae8bb7b160bf10c4fa1448beb04a32a35e63505b3dddff74a092bccaaa7e4" ]; then exit 1; fi + + # Make it executable + chmod +x talisman + - name: Run talisman + run: | + # Run Talisman with the pre-commit hook + ./talisman --githook pre-commit \ No newline at end of file From 484296493f45726a0d24d8da9b2db0e4e068f31f Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 21:52:34 +0530 Subject: [PATCH 16/17] Updated codeowners From a13f72a3ac2653e18f49f832bfc22f3ed7be36a7 Mon Sep 17 00:00:00 2001 From: Aravind Kumar Date: Mon, 5 May 2025 23:29:10 +0530 Subject: [PATCH 17/17] talismanrc file updated --- .talismanrc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.talismanrc b/.talismanrc index 6acc6e78..e91afa6f 100644 --- a/.talismanrc +++ b/.talismanrc @@ -1,6 +1,9 @@ threshold: medium fileignoreconfig: +- filename: .github/workflows/secrets-scan.yml + ignore_detectors: + - filecontent - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/spdy/Spdy3.java checksum: 5f6979f6336684787ff20dc5ccb0ea31665dcb4801845a34770d3bd30387f129 - filename: contentstack/src/main/java/com/contentstack/okhttp/internal/DiskLruCache.java