From dfa253ee1512a439dd25571cb15edefd51c9035a Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:32:21 -0600 Subject: [PATCH 001/103] Add SLSA generic generator workflow This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating subjects for provenance. @gniumg-source --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 00000000..35c829b1 --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From 79be5284149d09c45a40c21b955451d12ee41c58 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:36:07 -0600 Subject: [PATCH 002/103] Update issue templates --- .github/ISSUE_TEMPLATE/bug_report.md | 38 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/custom.md | 10 ++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/custom.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 00000000..dd84ea78 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: '' +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Desktop (please complete the following information):** + - OS: [e.g. iOS] + - Browser [e.g. chrome, safari] + - Version [e.g. 22] + +**Smartphone (please complete the following information):** + - Device: [e.g. iPhone6] + - OS: [e.g. iOS8.1] + - Browser [e.g. stock browser, safari] + - Version [e.g. 22] + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md new file mode 100644 index 00000000..48d5f81f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/custom.md @@ -0,0 +1,10 @@ +--- +name: Custom issue template +about: Describe this issue template's purpose here. +title: '' +labels: '' +assignees: '' + +--- + + diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 00000000..bbcbbe7d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: '' +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From 08943a616e1423fe1915ea8b373b696cf97dc2c8 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:37:06 -0600 Subject: [PATCH 003/103] Create FUNDING.yml for sponsorship options Added funding model options for various platforms. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/FUNDING.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 00000000..42bf91fd --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,15 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +polar: # Replace with a single Polar username +buy_me_a_coffee: # Replace with a single Buy Me a Coffee username +thanks_dev: # Replace with a single thanks.dev username +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] From ac5bdca7a56878eb8c23c685385e2103926c205f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:39:32 -0600 Subject: [PATCH 004/103] Add funding model platforms to Model file Added supported funding model platforms with placeholders for usernames. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- Model | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Model diff --git a/Model b/Model new file mode 100644 index 00000000..42bf91fd --- /dev/null +++ b/Model @@ -0,0 +1,15 @@ +# These are supported funding model platforms + +github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +polar: # Replace with a single Polar username +buy_me_a_coffee: # Replace with a single Buy Me a Coffee username +thanks_dev: # Replace with a single thanks.dev username +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] From 582652bb20f722d0c38a77bb9d22c8e14aab8eeb Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:41:48 -0600 Subject: [PATCH 005/103] Add details on secret scanning and its features Added comprehensive information about secret scanning, its benefits, and how to access the feature for different repository types. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- examen.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 examen.md diff --git a/examen.md b/examen.md new file mode 100644 index 00000000..4d0bfc51 --- /dev/null +++ b/examen.md @@ -0,0 +1,54 @@ +Acerca del examen de secretos +Evite el uso fraudulento de los secretos mediante la detección automática de credenciales expuestas antes de que se puedan aprovechar. + +En este artículo +Cuando las credenciales, como las claves de API y las contraseñas, se confirman en repositorios como secretos codificados de forma segura, se convierten en destinos para el acceso no autorizado. Secret scanning detecta automáticamente las fugas de credenciales para que pueda protegerlas antes de que se aprovechen. + +Sugerencia + +En cualquier momento, puede ejecutar una evaluación gratuita del código de su organización para los secretos filtrados. + +Para generar un informe, abra la Security and quality pestaña de la organización, muestra la página Evaluaciones y, a continuación, haz clic en Examinar tu organización.. + +Cómo el escaneo de secretos protege tu código + Secret scanning examina todo el historial de Git en todas las ramas del repositorio para obtener credenciales codificadas de forma segura, incluidas las claves de API, las contraseñas, los tokens y otros tipos de secreto conocidos. Esto le ayuda a identificar la expansión de secretos, la proliferación no controlada de credenciales entre repositorios, antes de que se convierta en un riesgo de seguridad. + GitHub también vuelve a examinar periódicamente los repositorios cuando se agregan nuevos tipos de secretos. + + GitHub también examina automáticamente: +Descripciones y comentarios sobre problemas +Títulos, descripciones y comentarios, en problemas históricos abiertos y cerrados +Títulos, descripciones y comentarios en pull requests +Títulos, descripciones y comentarios en GitHub Discussions +Wikis +Gists secretos + Secret scanning alertas y corrección +Cuando secret scanning detecta una pérdida de credenciales, GitHub genera una alerta en la pestaña del Security and quality repositorio con detalles sobre la credencial expuesta. + +Cuando reciba una alerta, gire inmediatamente la credencial afectada para evitar el acceso no autorizado. Aunque también puede quitar secretos del historial de Git, esto requiere mucho tiempo y suele ser innecesario si ya ha revocado la credencial. + +Integración de asociados + GitHub se asocia con una gran variedad de proveedores de servicios para validar los secretos detectados. Cuando se detecta un secreto de asociado, se notifica al proveedor para que pueda tomar medidas, como revocar la credencial. Los secretos de los partners se reportan directamente al proveedor y no se muestran en las alertas de su repositorio. Para más información, consulta [AUTOTITLE](/code-security/secret-scanning/secret-scanning-partnership-program/secret-scanning-partner-program). +Personalización +Además de la detección predeterminada de secretos de socios y proveedores, puede expandir y personalizar secret scanning para adaptarse a sus necesidades. + + **Patrones que no son de proveedores.** Expanda la detección a secretos que no están vinculados a un proveedor de servicios específico, como claves privadas, cadenas de conexión y claves de API genéricas. + **Patrones personalizados.** Defina sus propias expresiones regulares para detectar secretos específicos de la organización que no están cubiertos por patrones predeterminados. + **Comprobaciones de validez.** Priorice la corrección comprobando si los secretos detectados siguen activos. + ** + Escaneo secreto de Copilot.** Utiliza IA para detectar secretos no estructurados como contraseñas, o para generar expresiones regulares para patrones personalizados. +Acerca de las comprobaciones de validez +Las comprobaciones de validez le ayudan a priorizar qué secretos corregir primero comprobando si un secreto detectado sigue activo. Al habilitar comprobaciones de validez, secret scanning puede ponerse en contacto con el servicio emisor de la clave secreta para determinar si se ha revocado la credencial. + +Las comprobaciones de validez son independientes secret scanning del programa de socios. Aunque los secretos de asociados se notifican automáticamente a los proveedores de servicios para la revocación, las comprobaciones de validez comprueban el estado de los secretos que administra en sus propias alertas. Para más información, consulta Acerca de las comprobaciones de validez. + +¿Cómo puedo acceder a esta característica? +Secret scanning está disponible para los tipos de repositorio siguientes: + + **Repositorios públicos**: Secret scanning se ejecuta automáticamente y sin coste. + **Repositorios privados e internos de la organización**: disponibles con [GitHub Secret Protection](/get-started/learning-about-github/about-github-advanced-security) habilitados en GitHub Team o GitHub Enterprise Cloud. + **Repositorios propiedad del usuario**: disponibles en GitHub Enterprise Cloud con Enterprise Managed Users. Disponible en GitHub Enterprise Server cuando la empresa tiene [GitHub Secret Protection](/get-started/learning-about-github/about-github-advanced-security) habilitado. +Pasos siguientes + **Si ha recibido una alerta**, consulte [AUTOTITLE](/code-security/secret-scanning/managing-alerts-from-secret-scanning) para obtener información sobre cómo revisar, resolver y corregir secretos expuestos. + **Si va a proteger una organización**, consulte [AUTOTITLE](/code-security/how-tos/secure-at-scale/configure-organization-security/configure-specific-tools/assess-your-secret-risk) para determinar la exposición de su organización a secretos filtrados. +Lectura adicional +Para obtener una lista completa de los secretos y proveedores de servicios admitidos, consulte Patrones de análisis de secretos admitidos. From 0db8caa9dfeeb32549eee4fa1f126b49806becc7 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:42:49 -0600 Subject: [PATCH 006/103] Add GitHub Actions workflow for Jekyll deployment This workflow builds and deploys a Jekyll site to GitHub Pages, with steps for checkout, setup, build, and deployment @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/jekyll-gh-pages.yml | 51 +++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/jekyll-gh-pages.yml diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml new file mode 100644 index 00000000..67be9b00 --- /dev/null +++ b/.github/workflows/jekyll-gh-pages.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v5 From dc3bb77ee185d6d0a4ad9ef4bf81537c85000cdb Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:43:54 -0600 Subject: [PATCH 007/103] Add CodeQL analysis workfloconfiguration @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/codeql.yml | 101 +++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..dca662d2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,101 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '19 1 * * 3' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: java-kotlin + build-mode: none # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too. + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" From 020550d3e83b81bc48d3a600dcf00b0c95c94a87 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:44:51 -0600 Subject: [PATCH 008/103] Add APIsec scan workflow for API security testing @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/apisec-scan.yml | 71 +++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/apisec-scan.yml diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml new file mode 100644 index 00000000..dbb0a1b5 --- /dev/null +++ b/.github/workflows/apisec-scan.yml @@ -0,0 +1,71 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.apisec.ai/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '27 12 * * 4' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +permissions: + contents: read + +jobs: + + Trigger_APIsec_scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + - name: Import results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./apisec-results.sarif From 98e333a712b97ef4ae9ea067d776c4a707f7ce53 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:45:23 -0600 Subject: [PATCH 009/103] Add Appknox security testing workflow This workflow integrates Appknox for mobile application security testing, including build and upload steps. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/appknox.yml | 54 +++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/appknox.yml diff --git a/.github/workflows/appknox.yml b/.github/workflows/appknox.yml new file mode 100644 index 00000000..ab4e3d7a --- /dev/null +++ b/.github/workflows/appknox.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif From fc86fce2058812cd8c283a6d5bf5679308917779 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:46:21 -0600 Subject: [PATCH 010/103] Add Bearer workflow for code scannin This workflow integrates Bearer for code scanning and uploads SARIF results. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/bearer.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/bearer.yml diff --git a/.github/workflows/bearer.yml b/.github/workflows/bearer.yml new file mode 100644 index 00000000..191ab4b3 --- /dev/null +++ b/.github/workflows/bearer.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow file requires a free account on Bearer.com to manage findings, notifications and more. +# See https://docs.bearer.com/guides/bearer-cloud/ +name: Bearer + +on: + push: + branches: ["main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: '25 4 * * 3' + +permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + +jobs: + bearer: + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v4 + # Scan code using Bearer CLI + - name: Run Report + id: report + uses: bearer/bearer-action@828eeb928ce2f4a7ca5ed57fb8b59508cb8c79bc + with: + api-key: ${{ secrets.BEARER_TOKEN }} + format: sarif + output: results.sarif + exit-code: 0 + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 438e74281f4e3b6a8e56f3411a38b264d82e717a Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:47:21 -0600 Subject: [PATCH 011/103] Add Black Duck security scan workflow This workflow integrates Black Duck Security Action for Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) in CI/CD pipelines. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .../workflows/black-duck-security-scan-ci.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/black-duck-security-scan-ci.yml diff --git a/.github/workflows/black-duck-security-scan-ci.yml b/.github/workflows/black-duck-security-scan-ci.yml new file mode 100644 index 00000000..6edbad70 --- /dev/null +++ b/.github/workflows/black-duck-security-scan-ci.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Black Duck Security Action allows you to integrate Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) into your CI/CD pipelines. +# For more information about configuring your workflow, +# read our documentation at https://github.com/blackduck-inc/black-duck-security-scan + +name: CI Black Duck security scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '16 5 * * 5' + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write + actions: read + + steps: + - name: Checkout source + uses: actions/checkout@v4 + - name: Black Duck SCA scan + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + with: + ### ---------- BLACKDUCK SCA SCANNING: REQUIRED FIELDS ---------- + blackducksca_url: ${{ vars.BLACKDUCKSCA_URL }} + blackducksca_token: ${{ secrets.BLACKDUCKSCA_TOKEN }} + + ### ---------- COVERITY SCANNING: REQUIRED FIELDS ---------- + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### ---------- POLARIS SCANNING: REQUIRED FIELDS ---------- + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + ### ---------- SRM SCANNING: REQUIRED FIELDS ---------- + srm_url: ${{ vars.SRM_URL }} + srm_apikey: ${{ secrets.SRM_API_KEY }} + srm_assessment_types: "SCA,SAST" + From 43107e619e24005e82a53624d70f846ad30a4114 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:48:04 -0600 Subject: [PATCH 012/103] Add Checkmarx One GitHub Action workflow This workflow triggers Checkmarx One scans on pull requests to the main branch, integrating SAST, SCA, and KICS functionalities. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/checkmarx-one.yml | 55 +++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx-one.yml diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml new file mode 100644 index 00000000..16b78a35 --- /dev/null +++ b/.github/workflows/checkmarx-one.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ "main" ] + +permissions: + contents: read + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v4 + # This step creates the Checkmarx One scan + - name: Checkmarx One scan + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif From 22ed5c1bcebe036b501dd74727f155f9cf59df67 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:49:00 -0600 Subject: [PATCH 013/103] Add Checkmarx CxFlow GitHub Actions workflow @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/checkmarx.yml | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx.yml diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 00000000..d003a502 --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 23 * * 1' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v4 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe + with: + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: cx.sarif From 3bdbcd492d9b79c0fb2d871d23c702f1c9b9ca79 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:49:48 -0600 Subject: [PATCH 014/103] Add Codacy security scan workflow This workflow integrates Codacy Actions y scans with GitHub Actions @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 00000000..c9f67d60 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '39 8 * * 0' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 46148d3da55bf9d370ee97df258126d8d124df4f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:50:32 -0600 Subject: [PATCH 015/103] Add Contrast Scan workflow for artifact analysis This workflow initiates a Contrast Scan on built artifacts and uploads results in SARIF format to GitHub. It includes necessary prerequisites and permissions for scanning and uploading. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/contrast-scan.yml | 53 +++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 .github/workflows/contrast-scan.yml diff --git a/.github/workflows/contrast-scan.yml b/.github/workflows/contrast-scan.yml new file mode 100644 index 00000000..206d4947 --- /dev/null +++ b/.github/workflows/contrast-scan.yml @@ -0,0 +1,53 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Contrast Scan on your built artifact, and subsequently upload the results SARIF to Github. +# Because Contrast Scan is designed to run against your deployable artifact, you need to build an artifact that will be passed to the Contrast Scan Action. +# Contrast Scan currently supports Java, JavaScript and .NET artifacts. +# For more information about the Contrast Scan GitHub Action see here: https://github.com/Contrast-Security-OSS/contrastscan-action + +# Pre-requisites: +# All Contrast related account secrets should be configured as GitHub secrets to be passed as inputs to the Contrast Scan Action. +# The required secrets are CONTRAST_API_KEY, CONTRAST_ORGANIZATION_ID and CONTRAST_AUTH_HEADER. + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '45 5 * * 3' + +permissions: + contents: read + +name: Scan analyze workflow +jobs: + build-and-scan: + permissions: + contents: read # for actions/checkout + security-events: write # for github/codeql-action/upload-sarif + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + # check out project + steps: + - uses: actions/checkout@v4 + # Since Contrast Scan is designed to run against your deployable artifact, the steps to build your artifact should go here. + # -name: Build Project + # ... + # Scan Artifact + - name: Contrast Scan Action + uses: Contrast-Security-OSS/contrastscan-action@7352a45d9678ec8a434cf061b07ffb51c1e351a1 + with: + artifact: mypath/target/myartifact.jar # replace this path with the path to your built artifact + apiKey: ${{ secrets.CONTRAST_API_KEY }} + orgId: ${{ secrets.CONTRAST_ORGANIZATION_ID }} + authHeader: ${{ secrets.CONTRAST_AUTH_HEADER }} + #Upload the results to GitHub + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif # The file name must be 'results.sarif', as this is what the Github Action will output From c00627740791e751b0b73a606c62199bb0c3520f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:51:17 -0600 Subject: [PATCH 016/103] Add CRDA scan workflow for static code analysis This workflow performs static analysis of source code using Red Hat CodeReady Dependency Analytics, triggered by various events. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/crda.yml | 126 +++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 .github/workflows/crda.yml diff --git a/.github/workflows/crda.yml b/.github/workflows/crda.yml new file mode 100644 index 00000000..c96e9b39 --- /dev/null +++ b/.github/workflows/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ "main" ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ "main" ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-latest + steps: + + - name: Check out repository + uses: actions/checkout@v4 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v4 + # with: + # node-version: '20' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload From 9c70b7d990c1178f2e9acb1e1c02b95b18575c25 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:52:03 -0600 Subject: [PATCH 017/103] Add Debricked vulnerability scan workflow This workflow integrates Debricked for vulnerability scanning in GitHub actions. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/debricked.yml | 43 +++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/debricked.yml diff --git a/.github/workflows/debricked.yml b/.github/workflows/debricked.yml new file mode 100644 index 00000000..dd20163f --- /dev/null +++ b/.github/workflows/debricked.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +##################################################################################################################################################################### +# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. # +# # +# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com # +# To learn more about Debricked or contact our team, visit https://debricked.com/ # +# # +# To run this workflow, complete the following set-up steps: # +# # +# 1. If you don’t have a Debricked account, create one by visiting https://debricked.com/app/en/register # +# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 # +# 3. In GitHub, navigate to the repository # +# 4. Click on “Settings” (If you cannot see the “Settings” tab, select the dropdown menu, then click “Settings”) # +# 5. In the “Security” section click on “Secrets and variables”, then click “Actions” # +# 6. In the “Secrets” tab, click on “New repository secret” # +# 7. In the “Name” field, type the name of the secret # +# 8. In the “Secret” field, enter the value of the secret # +# 9. Click “Add secret” # +# 10. You should now be ready to use the workflow! # +##################################################################################################################################################################### + +name: Debricked Scan + +on: + push: + +permissions: + contents: read + +jobs: + vulnerabilities-scan: + name: Vulnerabilities scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: debricked/actions@v4 + env: + DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} From da90250e26d002d81068611558ff6e88273c8adc Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:52:45 -0600 Subject: [PATCH 018/103] Add Endor Labs workflow for security scanning This workflow configures Endor Labs scanning for pull requests and pushes, including SARIF file uploads. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/endorlabs.yml | 51 +++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/endorlabs.yml diff --git a/.github/workflows/endorlabs.yml b/.github/workflows/endorlabs.yml new file mode 100644 index 00000000..7ba5da52 --- /dev/null +++ b/.github/workflows/endorlabs.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Endor Labs +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '19 13 * * 6' +jobs: + scan: + permissions: + security-events: write # Used to upload sarif artifact to GitHub + contents: read # Used to checkout a private repository by actions/checkout. + actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. + id-token: write # Used for keyless authentication to Endor Labs + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + #### Package Build Instructions + ### Use this section to define the build steps used by your software package. + ### Endor Labs builds your software for you where possible but the required build tools must be made available. + # - name: Setup Java + # uses: actions/setup-java@v4 + # with: + # distribution: 'microsoft' + # java-version: '17' + # - name: Build Package + # run: mvn clean install + - name: Endor Labs scan pull request + if: github.event_name == 'pull_request' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + sarif_file: findings.sarif + - name: Endor Labs scan monitor + if: github.event_name == 'push' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + ci_run: "false" + sarif_file: findings.sarif + - name: Upload SARIF to github + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: findings.sarif From 2a0de7c045b8b64b27f5595c5d6b9417ccd31933 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 17:54:02 -0600 Subject: [PATCH 019/103] Add Fortify AST Scan workflow This workflow integrates Fortify Application Security Testing into GitHub workflows, enabling SAST and SCA scans. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/fortify.yml | 129 ++++++++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 .github/workflows/fortify.yml diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml new file mode 100644 index 00000000..94c46c5d --- /dev/null +++ b/.github/workflows/fortify.yml @@ -0,0 +1,129 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # +# # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # +################################################################################################################################################ + +name: Fortify AST Scan + +# Customize trigger events based on your DevSecOps process and/or policy +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '29 2 * * 1' + workflow_dispatch: + +jobs: + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + # pull-requests: write # Required if DO_PR_COMMENT is set to true + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v4 + + # Perform SAST and/or SCA scan via Fortify on Demand/Fortify Hosted/ScanCentral SAST/Debricked. Based on + # configuration, the Fortify GitHub Action can optionally set up the application version/release, generate + # job summaries and Pull Request comments, and/or export SAST results to the GitHub code scanning dashboard. + # The Fortify GitHub Action provides many customization capabilities, but in case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline. It is recommended to review the Fortify GitHub Action + # documentation at https://github.com/fortify/github-action#readme for more information on the various + # configuration options and available sub-actions. + - name: Run Fortify Scan + # Specify Fortify GitHub Action version to run. As per GitHub starter workflow requirements, this example + # uses the commit id corresponding to version 1.6.2. It is recommended to check whether any later releases + # are available at https://github.com/fortify/github-action/releases. Depending on the amount of stability + # required, you may want to consider using fortify/github-action@v1 instead to use the latest 1.x.y version + # of this action, allowing your workflows to automatically benefit from any new features and bug fixes. + uses: fortify/github-action@ef5539bf4bd9c45c0bd971978f635a69eae55297 + with: + sast-scan: true # Run a SAST scan; if not specified or set to false, no SAST scan will be run + debricked-sca-scan: true # For FoD, run an open-source scan as part of the SAST scan (ignored if SAST scan + # is disabled). For SSC, run a Debricked scan and import results into SSC. + env: + ############################################################# + ##### Fortify on Demand configuration + ##### Remove this section if you're integrating with Fortify Hosted/Software Security Center (see below) + ### Required configuration + FOD_URL: https://ams.fortify.com # Must be hardcoded or configured through GitHub variable, not secret + FOD_TENANT: ${{secrets.FOD_TENANT}} # Either tenant/user/password or client id/secret are required; + FOD_USER: ${{secrets.FOD_USER}} # these should be configured through GitHub secrets. + FOD_PASSWORD: ${{secrets.FOD_PAT}} + # FOD_CLIENT_ID: ${{secrets.FOD_CLIENT_ID}} + # FOD_CLIENT_SECRET: ${{secrets.FOD_CLIENT_SECRET}} + ### Optional configuration + # FOD_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /: + # DO_SETUP: true # Setup FoD application, release & static scan configuration + # SETUP_ACTION: # Customize setup action + # Pass extra options to setup action: + # SETUP_EXTRA_OPTS: --copy-from "${{ github.repository }}:${{ github.event.repository.default_branch }}" + # PACKAGE_EXTRA_OPTS: -oss -bt mvn # Extra 'scancentral package' options + # FOD_SAST_SCAN_EXTRA_OPTS: # Extra 'fcli fod sast-scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions + + ############################################################# + ##### Fortify Hosted / Software Security Center & ScanCentral + ##### Remove this section if you're integrating with Fortify on Demand (see above) + ### Required configuration + SSC_URL: ${{vars.SSC_URL}} # Must be hardcoded or configured through GitHub variable, not secret + SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken; credentials should be configured through GitHub secrets + SC_SAST_TOKEN: ${{secrets.SC_CLIENT_AUTH_TOKEN}} # ScanCentral SAST client_auth_token, required if SAST scan is enabled + DEBRICKED_TOKEN: ${{secrets.DEBRICKED_TOKEN}} # Debricked token, required if Debricked scan is enabled + SC_SAST_SENSOR_VERSION: 24.4.0 # Sensor version to use for the scan, required if SAST scan is enabled + ### Optional configuration + # SSC_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli ssc session login' options + # SC_SAST_LOGIN_EXTRA_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version name, default: /: + # DO_SETUP: true # Set up SSC application & version + # SETUP_ACTION: # Customize setup action + # SETUP_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to setup action + # PACKAGE_EXTRA_OPTS: -bt mvn # Extra 'scancentral package' options + # EXTRA_SC_SAST_SCAN_OPTS: # Extra 'fcli sc-sast scan start' options + # DO_WAIT: true # Wait for successful scan completion (implied if post-scan actions enabled) + # DO_POLICY_CHECK: true # Fail pipeline if security policy outcome is FAIL + # POLICY_CHECK_ACTION: # Customize security policy checks + # POLICY_CHECK_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to policy check action + # DO_JOB_SUMMARY: true # Generate workflow job summary + # JOB_SUMMARY_ACTION: # Customize job summary + # JOB_SUMMARY_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to job summary action + # DO_PR_COMMENT: true # Generate PR comments, only used on pull_request triggers + # PR_COMMENT_ACTION: # Customize PR comments + # PR_COMMENT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to PR comment action + # DO_EXPORT: true # Export vulnerability data to GitHub code scanning dashboard + # EXPORT_ACTION: # Customize export action + # EXPORT_EXTRA_OPTS: --on-unsigned=ignore # Pass extra options to export action + # TOOL_DEFINITIONS: # URL from where to retrieve Fortify tool definitions From 245964e40b057cffb2ebd8ba9e5f1a53b1717043 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 21:29:46 -0600 Subject: [PATCH 020/103] Update CONTRIBUTING.mdp @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From c7ec1730132a8f61a4895f8e04645de7b4ccad66 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 21:30:21 -0600 Subject: [PATCH 021/103] Correct indentation in LICENSE file Fix indentation for the Apache License header. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index d6456956..b45f5132 100644 --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,5 @@ - Apache License + Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ From bf5a7d7a46dd6b8d9dced0143ffbb5eedcb4c00c Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 21:30:49 -0600 Subject: [PATCH 022/103] Add LICENSE file @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From da3c09737839d380510f72d629752c02041a0b72 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 21:35:21 -0600 Subject: [PATCH 023/103] Add LICENSE file @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From 8c3d584860e088644f4f4580e14501300f6e0339 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Wed, 8 Apr 2026 21:36:06 -0600 Subject: [PATCH 024/103] Improve formatting in SECURITY.md Added a blank line for better readability. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 07bc436f..e4a9cc86 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,5 +1,5 @@ # Report a security issue - + To report a security issue, please use [https://g.co/vulnz](https://g.co/vulnz). We use [https://g.co/vulnz](https://g.co/vulnz) for our intake, and do coordination and disclosure here on GitHub (including using GitHub Security Advisory). The Google Security Team will From d1258922fc07c73fe4f60b74cd45d57d423dde2d Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:31:58 -0600 Subject: [PATCH 025/103] Update SECURITY.md @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From de2d7522178443f6dc01cfffb883c01547891785 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:42:36 -0600 Subject: [PATCH 026/103] Add Container Registry documentation Added documentation for working with the Container Registry, including authentication, image management, and best practices. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- contenedores.Yml | 192 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 contenedores.Yml diff --git a/contenedores.Yml b/contenedores.Yml new file mode 100644 index 00000000..2da87d70 --- /dev/null +++ b/contenedores.Yml @@ -0,0 +1,192 @@ +Trabajar con el registro de contenedores +Puedes almacenar y administrar imágenes de Docker y OCI en el Container registry. + +En este artículo +Acerca del Container registry +El Container registry almacena imágenes de contenedor dentro de tu organización o cuenta personal y te permite asociar una imagen a un repositorio. Puedes elegir si quieres heredar permisos desde un repositorio o si quieres configurar permisos granulares independientemente de un repositorio. También puedes acceder a imágenes de contenedor públicas de forma anónima. + +Acerca del soporte para el Container registry +El Container registry es actualmente compatible con los siguientes formatos de contenedores de imagen: + + [Docker Image Manifest V2, modelo 2](https://docs.docker.com/registry/spec/manifest-v2-2/) + [Especificaciones de Open Container Initiative (OCI)](https://github.com/opencontainers/image-spec) +Cuando instalas o publicas una imagen de Docker, el Container registry es compatible con capas externas, tales como imágenes de Windows. + +Autenticarse en el Container registry +Nota: + +GitHub Packages solo admite la autenticación mediante un personal access token (classic). Para más información, consulta Administración de tokens de acceso personal. + +Necesitas un token de acceso para publicar, instalar y eliminar paquetes privados, internos y públicos. + +Puedes utilizar un personal access token (classic) para autenticarte en el GitHub Packages o en la API de GitHub. Cuando creas un personal access token (classic), puedes asignar al token diferentes ámbitos en función de tus necesidades. Para más información sobre los ámbitos relacionados con paquetes para un personal access token (classic), consulta Acerca de los permisos para los Paquetes de GitHub. + +Para autenticarte en un registro del GitHub Packages dentro de un flujo de trabajo de GitHub Actions, puedes utilizar: + +GITHUB_TOKEN para publicar los paquetes asociados con el repositorio del flujo de trabajo. +Un personal access token (classic) con al menos alcance read:packages para instalar los paquetes asociados con otros repositorios privados (GITHUB_TOKEN puede utilizarse si el repositorio tiene acceso de lectura al paquete. Consulta Configurar la visibilidad y el control de accesos de un paquete). +Autenticación en un flujo de trabajo de GitHub Actions +Este registro admite permisos granulares. Para los registros que admiten permisos detallados, si en el flujo de trabajo de GitHub Actions se usa un personal access token para autenticarse en un registro, se recomienda encarecidamente actualizar el flujo de trabajo para usar GITHUB_TOKEN. Para obtener orientación sobre la actualización de tus flujos de trabajo que se autentican en un registro con un personal access token, consulta Publicar e instalar un paquete con GitHub Actions. + +Nota: + +La capacidad de que los flujos de trabajo de GitHub Actions eliminen y restauren paquetes mediante la API de REST se encuentra actualmente en versión preliminar pública y está sujeta a cambios. + +Puede usar un GITHUB_TOKEN en un flujo de trabajo de GitHub Actions para eliminar o restaurar un paquete mediante la API de REST, si el token tiene el permiso admin para el paquete. A los repositorios que publican paquetes mediante un flujo de trabajo y a los repositorios que se han conectado explícitamente a los paquetes se les concede automáticamente el permiso admin para los paquetes del repositorio. + +Para obtener más información sobre GITHUB_TOKEN, consulta Uso de GITHUB_TOKEN para la autenticación en flujos de trabajo. Para obtener más información sobre los procedimientos recomendados al usar un registro en acciones, consulta Referencia de uso seguro. + +También puedes optar por conceder permisos de acceso a paquetes de forma independiente para GitHub Codespaces y GitHub Actions. Para más información, consulta Configurar la visibilidad y el control de accesos de un paquete y Configurar la visibilidad y el control de accesos de un paquete. + +Autenticarse con un personal access token (classic) +Nota: + +GitHub Packages solo admite la autenticación mediante un personal access token (classic). Para más información, consulta Administración de tokens de acceso personal. + +Crea o usa un personal access token (classic) existente con los ámbitos adecuados para las tareas que quieras realizar. Si tu organización requiere SSO, debes hablitarlo para tu token nuevo. + +Nota: + +De manera predeterminada, cuando seleccionas el ámbito write:packages de tu personal access token (classic) en la interfaz de usuario, también se selecciona el ámbito repo. El ámbito repo ofrece un acceso amplio e innecesario, el cual te recomendamos no utilices para los flujos de trabajo de GitHub Actions en particular. Para más información, consulta Referencia de uso seguro. Como solución alternativa, puedes seleccionar solo el ámbito write:packages de tu personal access token (classic) en la interfaz de usuario con esta URL: https://github.com/settings/tokens/new?scopes=write:packages. + +Selecciona el ámbito read:packages para descargar imágenes de contenedor y leer sus metadatos. +Selecciona el ámbito write:packages para descargar y cargar imágenes de contenedor, así como para leer y escribir sus metadatos. +Selecciona el ámbito delete:packages para eliminar imágenes de contenedor. +Para más información, consulta Administración de tokens de acceso personal. + +Guarda tu personal access token (classic). Te recomendamos guardar tu token como una variable de entorno. + +export CR_PAT=YOUR_TOKEN +Utilizando el CLI de tu tipo de contenedor, inicia sesión en el servicio de Container registry en ghcr.io. + +$ echo $CR_PAT | docker login ghcr.io -u USERNAME --password-stdin +> Login Succeeded +Subir imágenes de contenedor +En este ejemplo se envía la versión más reciente de IMAGE_NAME. + +docker push ghcr.io/NAMESPACE/IMAGE_NAME:latest +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que deseas designar un ámbito de imagen. + +En este ejemplo se transfiere la versión 2.5 de la imagen. + +docker push ghcr.io/NAMESPACE/IMAGE_NAME:2.5 +Cuando publicas un paquete por primera vez, la visibilidad predeterminada es privada. Para cambiar la visibilidad o establecer permisos de acceso, consulta Configurar la visibilidad y el control de accesos de un paquete. Puedes vincular un paquete publicado a un repositorio mediante la interfaz de usuario o la línea de comandos. Para más información, consulta Conectar un repositorio a un paquete. + +Al insertar una imagen de contenedor desde la línea de comandos, la imagen no está vinculada a un repositorio de forma predeterminada. Este es el caso aunque etiquetes la imagen con un espacio de nombres que coincida con el nombre del repositorio, como ghcr.io/octocat/my-repo:latest. + +La manera más sencilla de conectar un repositorio a un paquete de contenedor es publicar el paquete desde un flujo de trabajo mediante ${{secrets.GITHUB_TOKEN}}, ya que el repositorio que contiene dicho flujo de trabajo se vincula automáticamente. Ten en cuenta que GITHUB_TOKEN no tendrá permiso para insertar el paquete si previamente has insertado un paquete en el mismo espacio de nombres, pero no has conectado dicho paquete al repositorio. + +Para conectar un repositorio al publicar una imagen desde la línea de comandos y para asegurarse de que GITHUB_TOKEN tiene los permisos adecuados al usar un flujo de trabajo de GitHub Actions, se recomienda agregar la etiqueta org.opencontainers.image.source a Dockerfile. Para obtener más información, consulta "Etiquetado de imágenes de contenedor" en este artículo y "Publicar e instalar un paquete con GitHub Actions". + +Extraer imágenes de contenedor +Extraer por resumen +Para garantizar que siempre use la misma imagen, puede especificar la versión exacta de la imagen de contenedor que desea obtener utilizando el valor SHA de digest. + +Para buscar el valor de digest SHA, use docker inspect o docker pull y copie el valor de SHA después de Digest:. + +docker inspect ghcr.io/NAMESPACE/IMAGE_NAME +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que se designa un ámbito de imagen. + +Elimina la imagen localmente de acuerdo a tus necesidades. + +docker rmi ghcr.io/NAMESPACE/IMAGE_NAME:latest +Extraiga la imagen de contenedor con @YOUR_SHA_VALUE después del nombre de la imagen. + +docker pull ghcr.io/NAMESPACE/IMAGE_NAME@sha256:82jf9a84u29hiasldj289498uhois8498hjs29hkuhs +Extraer por nombre +docker pull ghcr.io/NAMESPACE/IMAGE_NAME +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que se asigna la imagen. + +Extraer por nombre y versión +Ejemplo de CLI de Docker que muestra una imagen que se extrae por su nombre y por la etiqueta de la versión 1.14.1: + +$ docker pull ghcr.io/NAMESPACE/IMAGE_NAME:1.14.1 +> 5e35bd43cf78: Pull complete +> 0c48c2209aab: Pull complete +> fd45dd1aad5a: Pull complete +> db6eb50c2d36: Pull complete +> Digest: sha256:ae3b135f133155b3824d8b1f62959ff8a72e9cf9e884d88db7895d8544010d8e +> Status: Downloaded newer image for ghcr.io/NAMESPACE/IMAGE_NAME/release:1.14.1 +> ghcr.io/NAMESPACE/IMAGE_NAME/release:1.14.1 +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que se asigna la imagen. + +Extraer por nombre y última versión +$ docker pull ghcr.io/NAMESPACE/IMAGE_NAME:latest +> latest: Pulling from NAMESPACE/IMAGE_NAME +> Digest: sha256:b3d3e366b55f9a54599220198b3db5da8f53592acbbb7dc7e4e9878762fc5344 +> Status: Downloaded newer image for ghcr.io/NAMESPACE/IMAGE_NAME:latest +> ghcr.io/NAMESPACE/IMAGE_NAME:latest +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que se asigna la imagen. + +Creación de imágenes de contenedor +En este ejemplo se compila la imagen hello_docker: + +docker build -t hello_docker . +Etiquetado de imágenes de contenedores +Encuentra la ID para la imagen de Docker que quieres etiquetar. + +$ docker images +> REPOSITORY TAG IMAGE ID CREATED SIZE +> ghcr.io/my-org/hello_docker latest 38f737a91f39 47 hours ago 91.7MB +> hello-world latest fce289e99eb9 16 months ago 1.84kB +Etiqueta tu imagen de Docker utilizando la ID ed imagen y el nombre que quieras poner a la misma, así como el destino en donde se hospedará ésta. + +docker tag 38f737a91f39 ghcr.io/NAMESPACE/NEW_IMAGE_NAME:latest +Reemplaza NAMESPACE por el nombre de la cuenta personal u organización a la que deseas designar un ámbito de imagen. + +Etiquetado de imágenes de contenedor +Puedes usar etiquetas claves de anotación predefinidas para agregar metadatos, incluida una descripción, una licencia y un repositorio de origen a la imagen de contenedor. Los valores de las claves admitidas aparecerán en la página del paquete de la imagen. + +Para la mayoría de las imágenes, puedes usar etiquetas de Docker para agregar las claves de anotación a una imagen. Para obtener más información, consulta ETIQUETA en la documentación oficial de Docker y Claves de anotación predefinidas en el repositorio de opencontainers/image-spec. + +Para las imágenes de varios arcos, puedes agregar una descripción a la imagen agregando la clave de anotación adecuada al campo annotations en el manifiesto de la imagen. Para obtener más información, consulte Agregar una descripción a imágenes de múltiples arquitecturas. + +Las siguientes claves de anotación se admiten en Container registry. + +Clave Descripción +org.opencontainers.image.source Dirección URL del repositorio asociado al paquete. Para más información, consulta Conectar un repositorio a un paquete. +org.opencontainers.image.description Una descripción de solo texto limitada a 512 caracteres. Esta descripción aparecerá en la página del paquete, debajo del nombre del paquete. +org.opencontainers.image.licenses Un identificador de licencia SPDX, como "MIT", limitado a 256 caracteres. La licencia aparecerá en la página del paquete, en la barra lateral "Detalles". Para más información, consulta Lista de licencias de SPDX. +Para agregar una clave como etiqueta de Docker, se recomienda usar la instrucción LABEL en tu Dockerfile. Por ejemplo, si eres el usuario octocat y eres el propietario de my-repo y la imagen se distribuye bajo los términos de la licencia MIT, agregarías las líneas siguientes a Dockerfile: + +LABEL org.opencontainers.image.source=https://github.com/octocat/my-repo +LABEL org.opencontainers.image.description="My container image" +LABEL org.opencontainers.image.licenses=MIT +Nota: + +Si publicas un paquete vinculado a un repositorio, el paquete hereda automáticamente los permisos de acceso del repositorio vinculado y los flujos de trabajo de GitHub Actions en el repositorio vinculado automáticamente obtienen acceso al paquete, a menos que la organización haya deshabilitado la herencia automática de los permisos de acceso. Para más información, consulta Configurar la visibilidad y el control de accesos de un paquete. + +Como alternativa, puedes agregar etiquetas a una imagen en tiempo de compilación con el comando docker build. + +$ docker build \ + --label "org.opencontainers.image.source=https://github.com/octocat/my-repo" \ + --label "org.opencontainers.image.description=My container image" \ + --label "org.opencontainers.image.licenses=MIT" +Adición de una descripción a imágenes de varios arcos +Una imagen de varios arcos es una imagen que admite varias arquitecturas. Funciona haciendo referencia a una lista de imágenes, cada una de las cuales admite una arquitectura diferente, dentro de un único manifiesto. + +La descripción que aparece en la página del paquete para una imagen de varios arcos se obtiene del campo annotations del manifiesto de la imagen. Al igual que las etiquetas de Docker, las anotaciones proporcionan una manera de asociar metadatos a una imagen y admiten claves de anotación predefinidas. Para más información, consulta Anotaciones en el repositorio opencontainers/image-spec. + +Para proporcionar una descripción para una imagen de varios arcos, establece un valor para la clave org.opencontainers.image.description en el campo del manifiesto annotations, como se indica a continuación. + +"annotations": { + "org.opencontainers.image.description": "My multi-arch image" +} +Por ejemplo, el siguiente paso del flujo de trabajo GitHub Actions compila e inserta una imagen de varios arcos. El parámetro outputs establece la descripción de la imagen. + +# Este flujo de trabajo usa acciones que no GitHub no certifica. +# Estas las proporcionan entidades terceras y las gobiernan +# condiciones de servicio, políticas de privacidad y documentación de soporte +# en línea. + +- name: Build and push Docker image + uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4 + with: + context: . + file: ./Dockerfile + platforms: ${{ matrix.platforms }} + push: true + outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=My multi-arch image +Solución de problemas +Container registry tienen un límite de tamaño de 10 GB para cada capa. +Container registry tienen un límite de tiempo de expiración de 10 minutos para las cargas. From e7ad6068ee9749c06758033d6a656fd77e74fee3 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:44:24 -0600 Subject: [PATCH 027/103] Create npm.yml for GitHub Packages documentation Add GitHub Packages npm registry configuration and usage instructions. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- npm,yml | 142 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 142 insertions(+) create mode 100644 npm,yml diff --git a/npm,yml b/npm,yml new file mode 100644 index 00000000..8eee4bf9 --- /dev/null +++ b/npm,yml @@ -0,0 +1,142 @@ +GitHub Docs +GitHub Packages/Trabajar con un registro de Paquetes de GitHub/Registro de npm +Gestionar el registro de npm +Puedes configurar npm para publicar paquetes en GitHub Packages y para usar los paquetes almacenados en GitHub Packages como dependencias en un proyecto npm. + +En este artículo +Autenticándose en GitHub Packages +Nota: + +GitHub Packages solo admite la autenticación mediante un personal access token (classic). Para más información, consulta Administración de tokens de acceso personal. + +Necesitas un token de acceso para publicar, instalar y eliminar paquetes privados, internos y públicos. + +Puedes utilizar un personal access token (classic) para autenticarte en el GitHub Packages o en la API de GitHub. Cuando creas un personal access token (classic), puedes asignar al token diferentes ámbitos en función de tus necesidades. Para más información sobre los ámbitos relacionados con paquetes para un personal access token (classic), consulta Acerca de los permisos para los Paquetes de GitHub. + +Para autenticarte en un registro del GitHub Packages dentro de un flujo de trabajo de GitHub Actions, puedes utilizar: + +GITHUB_TOKEN para publicar los paquetes asociados con el repositorio del flujo de trabajo. +Un personal access token (classic) con al menos alcance read:packages para instalar los paquetes asociados con otros repositorios privados (GITHUB_TOKEN puede utilizarse si el repositorio tiene acceso de lectura al paquete. Consulta Configurar la visibilidad y el control de accesos de un paquete). +Autenticación en un flujo de trabajo de GitHub Actions +Este registro admite permisos granulares. Para los registros que admiten permisos detallados, si en el flujo de trabajo de GitHub Actions se usa un personal access token para autenticarse en un registro, se recomienda encarecidamente actualizar el flujo de trabajo para usar GITHUB_TOKEN. Para obtener orientación sobre la actualización de tus flujos de trabajo que se autentican en un registro con un personal access token, consulta Publicar e instalar un paquete con GitHub Actions. + +Nota: + +La capacidad de que los flujos de trabajo de GitHub Actions eliminen y restauren paquetes mediante la API de REST se encuentra actualmente en versión preliminar pública y está sujeta a cambios. + +Puede usar un GITHUB_TOKEN en un flujo de trabajo de GitHub Actions para eliminar o restaurar un paquete mediante la API de REST, si el token tiene el permiso admin para el paquete. A los repositorios que publican paquetes mediante un flujo de trabajo y a los repositorios que se han conectado explícitamente a los paquetes se les concede automáticamente el permiso admin para los paquetes del repositorio. + +Para obtener más información sobre GITHUB_TOKEN, consulta Uso de GITHUB_TOKEN para la autenticación en flujos de trabajo. Para obtener más información sobre los procedimientos recomendados al usar un registro en acciones, consulta Referencia de uso seguro. + +También puedes optar por conceder permisos de acceso a paquetes de forma independiente para GitHub Codespaces y GitHub Actions. Para más información, consulta Configurar la visibilidad y el control de accesos de un paquete y Configurar la visibilidad y el control de accesos de un paquete. + +Autenticación con un personal access token +Debes utilizar un personal access token (classic) con los ámbitos adecuados para publicar e instalar paquetes en GitHub Packages. Para más información, consulta Introducción a los paquetes de GitHub. + +Puedes autenticarte en GitHub Packages con npm al editar tu archivo ~/.npmrc personal para incluir tu personal access token (classic) o iniciando sesión en npm en la línea de comandos con tu nombre de usuario y personal access token. + +Para autenticarse agregando tu personal access token (classic) al archivo ~/.npmrc, edita el archivo ~/.npmrc del proyecto para que incluya la siguiente línea y reemplace TOKEN por su personal access token. Crea un nuevo archivo ~/.npmrc si no existe. + +//npm.pkg.github.com/:_authToken=TOKEN +Para autenticarse mediante el inicio de sesión en npm, usa el comando npm login y reemplaza USERNAME por tu nombre de usuario de GitHub, TOKEN por tu personal access token (classic) y PUBLIC-EMAIL-ADDRESS por tu dirección de correo electrónico. + +Si usas la versión 9 o una posterior de la CLI de npm e inicias sesión en un registro privado mediante la línea de comandos, o cierras la sesión en él, debes usar la opción --auth-type=legacy para leer los detalles de autenticación de mensajes en lugar de usar el flujo de inicio de sesión predeterminado mediante un explorador. Para obtener más información, vea npm-login. + +Si GitHub Packages no es el registro de paquetes predeterminado para usar npm y quieres usar el comando npm audit, se recomienda usar la marca --scope con el espacio de nombres que hospeda el paquete (la cuenta personal u organización a la que el paquete tiene el ámbito) al autenticarse en GitHub Packages. + +$ npm login --scope=@NAMESPACE --auth-type=legacy --registry=https://npm.pkg.github.com + +> Username: USERNAME +> Password: TOKEN +Publicación de un paquete +Nota: + +Los nombres y ámbitos de los paquetes solo deben usar letras minúsculas. +El tarball de una versión de npm debe tener un tamaño inferior a 256 MB. +El registro GitHub Packages almacena paquetes npm dentro de tu organización o cuenta personal, y te permite asociar un paquete a un repositorio. Puedes elegir si quieres heredar permisos desde un repositorio o si quieres configurar permisos granulares independientemente de un repositorio. + +Cuando publicas un paquete por primera vez, la visibilidad predeterminada es privada. Para cambiar la visibilidad o establecer permisos de acceso, consulta Configurar la visibilidad y el control de accesos de un paquete. Para obtener más información sobre cómo vincular un paquete publicado con un repositorio, consulta Conectar un repositorio a un paquete. + +Puede conectar un paquete a un repositorio tan pronto como el paquete se publique mediante la inclusión de un campo repository en el archivo package.json. También puede usar este método para conectar varios paquetes al mismo repositorio. Para más información, consulta Publicación de varios paquetes en el mismo repositorio. + +Nota: + +Si publicas un paquete vinculado a un repositorio, el paquete hereda automáticamente los permisos de acceso del repositorio vinculado y los flujos de trabajo de GitHub Actions en el repositorio vinculado automáticamente obtienen acceso al paquete, a menos que la organización haya deshabilitado la herencia automática de los permisos de acceso. Para más información, consulta Configurar la visibilidad y el control de accesos de un paquete. + +Puede configurar la asignación de ámbito del proyecto si usa un archivo .npmrc local en el proyecto o la opción publishConfig en package.json. GitHub Packages solo admite paquetes npm con alcance definido. Los paquetes con ámbito tienen nombres con el formato @NAMESPACE/PACKAGE-NAME. Los paquetes con ámbito siempre comienzan con un símbolo @. Es posible que tenga que actualizar el nombre en package.json para usar el nombre con ámbito. Por ejemplo, si eres el usuario octocat y el paquete se llama test, asignarías el nombre del paquete con alcance de la siguiente manera: "name": "@octocat/test". + +Después de que publiques un paquete, puedes verlo en GitHub. Para más información, consulta Visualizar paquetes. + +Publicación de un paquete mediante un archivo .npmrc local +Puede usar un archivo .npmrc para configurar la asignación de ámbito del proyecto. En el archivo .npmrc, usa la URL y el propietario de la cuenta de GitHub Packages para que GitHub Packages sepa a dónde dirigir las solicitudes de paquete. El uso de un archivo .npmrc evita que otros desarrolladores publiquen accidentalmente el paquete en npmjs.org en lugar de GitHub Packages. + +Autentícate en GitHub Packages. Para obtener más información, consulta Autenticación en GitHub Packages. + +En el mismo directorio que el archivo package.json, crea o edita un archivo .npmrc para incluir una línea que especifique la URL de GitHub Packages y el espacio de nombres donde se hospeda el paquete. Reemplaza NAMESPACE por el nombre de la cuenta de usuario u organización a la que se limitará el paquete. + +@NAMESPACE:registry=https://npm.pkg.github.com +Agregue el archivo .npmrc al repositorio donde GitHub Packages pueda encontrar el proyecto. Para más información, consulta Agregar un archivo a un repositorio. + +Compruebe el nombre del paquete en el archivo package.json del proyecto. El campo name debe contener el ámbito y el nombre del paquete. Por ejemplo, si tu paquete se llama "test" y vas a publicarlo en la organización "My-org" de GitHub, el campo name en tu package.json debe ser @my-org/test. + +Comprueba el campo repository en package.json del proyecto. El campo repository debe coincidir con la URL del repositorio GitHub. Por ejemplo, si la URL del repositorio es github.com/my-org/test, el campo del repositorio debe ser https://github.com/my-org/test.git. + +Publique el paquete: + +npm publish +Publicación de un paquete mediante publishConfig en el archivo package.json +Puede usar el elemento publishConfig en el archivo package.json para especificar el registro donde quiere publicar el paquete. Para más información, consulta publishConfig en la documentación de npm. + +Edite el archivo package.json del paquete e incluya una entrada publishConfig. + +"publishConfig": { + "registry": "https://npm.pkg.github.com" +}, +Comprueba el campo repository en package.json del proyecto. El campo repository debe coincidir con la URL del repositorio GitHub. Por ejemplo, si la URL del repositorio es github.com/my-org/test, el campo del repositorio debe ser https://github.com/my-org/test.git. + +Publique el paquete: + +npm publish +Publicar múltiples paquetes en el mismo repositorio +Para publicar varios paquetes y vincularlos al mismo repositorio, puedes incluir la URL del repositorio GitHub en el campo repository del archivo package.json de cada paquete. Para más información, consulta Creación de un archivo package.json y Creación de módulos de Node.js en la documentación de npm. + +Para asegurarte de que la URL del repositorio sea correcta, reemplaza REPOSITORY por el nombre del repositorio que contiene el paquete que deseas publicar y OWNER por el nombre de la cuenta personal o de organización en GitHub que posee el repositorio. + +GitHub Packages coincidirá con el repositorio en función de la dirección URL. + +"repository":"https://github.com/OWNER/REPOSITORY", +Instalación de un paquete +Puede instalar paquetes desde GitHub Packages si los agrega como dependencias en el archivo package.json del proyecto. Para más información sobre el uso de package.json en el proyecto, consulta Trabajo con package.json en la documentación de npm. + +Por defecto, puedes agregar paquetes de una organización. Para más información, consulta Instalación de paquetes de otras organizaciones. + +También tendrá que agregar el archivo .npmrc al proyecto para que todas las solicitudes de instalación de paquete pasen por GitHub Packages. Al enrutar todas las solicitudes de paquete por medio de GitHub Packages, puedes usar paquetes con ámbito y sin ámbito de npmjs.org. Para más información, consulta npm-scope en la documentación de npm. + +Autentícate en GitHub Packages. Para obtener más información, consulta Autenticación en GitHub Packages. + +En el mismo directorio que el archivo package.json, crea o edita un archivo .npmrc para incluir una línea que especifique la URL de GitHub Packages y el espacio de nombres donde se hospeda el paquete. Reemplaza NAMESPACE por el nombre de la cuenta de usuario u organización a la que se limitará el paquete. + +@NAMESPACE:registry=https://npm.pkg.github.com +Agregue el archivo .npmrc al repositorio donde GitHub Packages pueda encontrar el proyecto. Para más información, consulta Agregar un archivo a un repositorio. + +Configura package.json en tu proyecto para utilizar el paquete que estás instalando. Para agregar las dependencias de paquete al archivo package.json para GitHub Packages, especifique el nombre del paquete de ámbito completo, por ejemplo, @my-org/server. Para los paquetes de npmjs.com, especifique el nombre completo, como @babel/core o lodash. Reemplaza ORGANIZATION_NAME/PACKAGE_NAME con la dependencia del paquete. + +{ + "name": "@my-org/server", + "version": "1.0.0", + "description": "Server app that uses the ORGANIZATION_NAME/PACKAGE_NAME package", + "main": "index.js", + "author": "", + "license": "MIT", + "dependencies": { + "ORGANIZATION_NAME/PACKAGE_NAME": "1.0.0" + } +} +Instala el paquete. + +npm install +Instalar paquetes de otras organizaciones +Por defecto, solo puedes usar paquetes de GitHub Packages de una organización. Si quiere enrutar las solicitudes de paquete a varias organizaciones y usuarios, puede agregar líneas adicionales al archivo .npmrc, reemplazando NAMESPACE por el nombre de la cuenta personal u organización a la que se designa el ámbito del paquete. + +@NAMESPACE:registry=https://npm.pkg.github.com +@NAMESPACE:registry=https://npm.pkg.github.com From f25cf9391aee4ae42152d7babaa4aefcaa01afa6 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:45:43 -0600 Subject: [PATCH 028/103] Add EthicalCheck workflow for API security testing This workflow integrates EthicalCheck for automated API security testing, including triggers for push and pull requests on the main branch, and a scheduled run. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/ethicalcheck.yml | 69 ++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/ethicalcheck.yml diff --git a/.github/workflows/ethicalcheck.yml b/.github/workflows/ethicalcheck.yml new file mode 100644 index 00000000..4e6e6572 --- /dev/null +++ b/.github/workflows/ethicalcheck.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '17 4 * * 6' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + contents: read + +jobs: + Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./ethicalcheck-results.sarif + From b89cf666890cce93e5de0f211ccb9a93e7f21d7f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:47:21 -0600 Subject: [PATCH 029/103] Add JFrog SAST scan workflow @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/jfrog-sast.yml | 54 ++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/jfrog-sast.yml diff --git a/.github/workflows/jfrog-sast.yml b/.github/workflows/jfrog-sast.yml new file mode 100644 index 00000000..1cb7e1a6 --- /dev/null +++ b/.github/workflows/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '29 3 * * 4' + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif From d56466854d5531144ff7de550a7f88a061f3e340 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:48:20 -0600 Subject: [PATCH 030/103] Add Mayhem for API workflow configuration @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/mayhem-for-api.yml | 64 ++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/mayhem-for-api.yml diff --git a/.github/workflows/mayhem-for-api.yml b/.github/workflows/mayhem-for-api.yml new file mode 100644 index 00000000..bd4405aa --- /dev/null +++ b/.github/workflows/mayhem-for-api.yml @@ -0,0 +1,64 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem account at https://app.mayhem.security +# +# 2. Create an API token at https://app.mayhem.security/-/settings/user/api-tokens +# +# 3. Add the API token as a secret in GitHub called "MAYHEM_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v4 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏️ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@v1 + continue-on-error: true + with: + mayhem-token: ${{ secrets.MAYHEM_TOKEN }} + api-url: http://localhost:8080 # <- ✏️ update this + api-spec: http://localhost:8080/openapi.json # <- ✏️ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: mapi.sarif From b1ad600ba2af6d256cd2d6d608d35d2765b569d4 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:49:04 -0600 Subject: [PATCH 031/103] Add MobSF workflow for mobile security scanning This workflow automates the MobSF security scanning process on push and pull request events to the main branch, and schedules a weekly scan. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/mobsf.yml | 43 +++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/mobsf.yml diff --git a/.github/workflows/mobsf.yml b/.github/workflows/mobsf.yml new file mode 100644 index 00000000..fe7f5e9a --- /dev/null +++ b/.github/workflows/mobsf.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '17 13 * * 1' + +permissions: + contents: read + +jobs: + mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Setup python + uses: actions/setup-python@v3 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@a60d10a83af68e23e0b30611c6515da604f06f65 + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 9300c2f270e51b71a25d4cff54af2dd1f02ccbb2 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:49:51 -0600 Subject: [PATCH 032/103] Add NeuraLegion workflow for security scanning @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/neuralegion.yml | 175 ++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 .github/workflows/neuralegion.yml diff --git a/.github/workflows/neuralegion.yml b/.github/workflows/neuralegion.yml new file mode 100644 index 00000000..a236a4a3 --- /dev/null +++ b/.github/workflows/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '18 16 * * 4' + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v4 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan From 95d0bb1cad6b05a13b920c64851e29e478c616fc Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:50:34 -0600 Subject: [PATCH 033/103] Add NowSecure Mobile SBOM workflow This workflow automates the generation of a Software Bill of Materials (SBOM) for mobile applications using NowSecure. It includes steps for checking out code, building the application, and uploading the app to NowSecure. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/nowsecure-mobile-sbom.yml diff --git a/.github/workflows/nowsecure-mobile-sbom.yml b/.github/workflows/nowsecure-mobile-sbom.yml new file mode 100644 index 00000000..c4d7df04 --- /dev/null +++ b/.github/workflows/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '26 22 * * 1' + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID From c4ac27a6dff62229e6d67b083b92cb2c4cd9dacf Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:51:30 -0600 Subject: [PATCH 034/103] Create nowsecure.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/nowsecure.yml | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/nowsecure.yml diff --git a/.github/workflows/nowsecure.yml b/.github/workflows/nowsecure.yml new file mode 100644 index 00000000..312ac2f0 --- /dev/null +++ b/.github/workflows/nowsecure.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: "NowSecure" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + nowsecure: + name: NowSecure + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: Run NowSecure + uses: nowsecure/nowsecure-action@3b439db31b6dce857b09f5222fd13ffc3159ad26 + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: NowSecure.sarif From cc4fff77c9ac64ca4f55852c59b4780ce3ba4466 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:52:13 -0600 Subject: [PATCH 035/103] Create osv-scanner.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/osv-scanner.yml | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 00000000..7d1ce2ff --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, +# in addition to a PR check which fails if new vulnerabilities are introduced. +# +# For more examples and options, including how to ignore specific vulnerabilities, +# see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner + +on: + pull_request: + branches: [ "main" ] + merge_group: + branches: [ "main" ] + schedule: + - cron: '22 23 * * 4' + push: + branches: [ "main" ] + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read + +jobs: + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ From 4eb3e6554d8e9d4acb86384b1c7087d9fce7525e Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:53:02 -0600 Subject: [PATCH 036/103] Create semgrep.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/semgrep.yml | 49 +++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..80130947 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '15 12 * * 5' + +permissions: + contents: read + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v4 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@fcd5ab7459e8d91cb1777481980d1b18b4fc6735 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: semgrep.sarif + if: always() From 44bcdb2e5f1ed50d6de51c7e2280922eeff954a1 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:53:39 -0600 Subject: [PATCH 037/103] Create snyk-security.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/snyk-security.yml | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 00000000..578dcae6 --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: ["main" ] + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v4 + # with: + # node-version: 20 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk-code.sarif From 5c99216d02bd6de3b5903c045dbc6940e4be6b2f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:54:53 -0600 Subject: [PATCH 038/103] Create sonarcloud.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/sonarcloud.yml | 67 ++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/sonarcloud.yml diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml new file mode 100644 index 00000000..07701bef --- /dev/null +++ b/.github/workflows/sonarcloud.yml @@ -0,0 +1,67 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarCloud + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@v2.2.0 + uses: SonarSource/sonarcloud-github-action@4006f663ecaf1f8093e8e4abb9227f6041f52216 + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the SonarScanner CLI + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + projectBaseDir: . From 1f7a09f0d734d0c0929ceb4b7d52a07b646d27aa Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:55:31 -0600 Subject: [PATCH 039/103] Create sonarqube.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/sonarqube.yml | 66 +++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/sonarqube.yml diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml new file mode 100644 index 00000000..4f0ba20a --- /dev/null +++ b/.github/workflows/sonarqube.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarQube analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# (this feature is available starting from SonarQube 9.7, Developer Edition and above) + +# 1. Make sure you add a valid GitHub configuration to your SonarQube (Administration > DevOps platforms > GitHub) + +# 2. Import your project on SonarQube +# * Add your repository as a new project by clicking "Create project" from your homepage. +# +# 3. Select GitHub Actions as your CI and follow the tutorial +# * a. Generate a new token and add it to your GitHub repository's secrets using the name SONAR_TOKEN +# (On SonarQube, click on your avatar on top-right > My account > Security or ask your administrator) +# +# * b. Copy/paste your SonarQube host URL to your GitHub repository's secrets using the name SONAR_HOST_URL +# +# * c. Copy/paste the project Key into the args parameter below +# (You'll find this information in SonarQube by following the tutorial or by clicking on Project Information at the top-right of your project's homepage) + +# Feel free to take a look at our documentation (https://docs.sonarqube.org/latest/analysis/github-integration/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/sq/10) + +name: SonarQube analysis + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarQube to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarQube + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarqube-scan-action@v1.1.0 + uses: SonarSource/sonarqube-scan-action@7295e71c9583053f5bf40e9d4068a0c974603ec8 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on SonarQube, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} # add the URL of your instance to the secrets of this repo with the name SONAR_HOST_URL (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique key of your project. You can find it in SonarQube > [my project] > Project Information (top-right menu) + # mandatory + -Dsonar.projectKey= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false From 0a04742e44d07241e77259d5a5f18366a84be19d Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:56:04 -0600 Subject: [PATCH 040/103] Create stackhawk.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/stackhawk.yml | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/stackhawk.yml diff --git a/.github/workflows/stackhawk.yml b/.github/workflows/stackhawk.yml new file mode 100644 index 00000000..025d6ee9 --- /dev/null +++ b/.github/workflows/stackhawk.yml @@ -0,0 +1,63 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# 🦅 STACKHAWK https://stackhawk.com + +# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your +# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with +# StackHawk quickly. + +# To use this workflow, you must: +# +# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and +# create your first app and configuration file at https://app.stackhawk.com. +# +# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY. +# +# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory. +# +# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option +# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan +# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42 +# and trigger a Code Scanning alert with a link to your scan results. +# +# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to +# start your service so that it can be scanned with the "Run HawkScan" step. + + +name: "StackHawk" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '20 20 * * 2' + +permissions: + contents: read + +jobs: + stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info + name: StackHawk + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Start your service + run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned + + - name: Run HawkScan + uses: stackhawk/hawkscan-action@4c3258cd62248dac6d9fe91dd8d45928c697dee0 + continue-on-error: true # ✏️ Set to false to break your build on scan errors + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + codeScanningAlerts: true + githubToken: ${{ github.token }} From 6406009b00de86a592e43b2a8f03d88a8f57803a Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:56:56 -0600 Subject: [PATCH 041/103] Create synopsys-action.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/synopsys-action.yml | 41 +++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/synopsys-action.yml diff --git a/.github/workflows/synopsys-action.yml b/.github/workflows/synopsys-action.yml new file mode 100644 index 00000000..4700ca6e --- /dev/null +++ b/.github/workflows/synopsys-action.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +name: Synopsys Security Testing + +on: + push: + # At this time, it is recommended to run Polaris only on pushes to main branches + # Pull request analysis will be supported by Polaris in the future + branches: [ "main" ] + + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Synopsys Action + uses: synopsys-sig/synopsys-action@v1.6.0 + with: + #------------------------------------------COVERITY----------------------------------------- + coverity_url: ${{ secrets.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + #------------------------------------------BLACKDUCK---------------------------------------- + blackduck_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackduck_url: ${{ secrets.BLACKDUCK_URL }} + + #------------------------------------------POLARIS------------------------------------------ + polaris_server_url: ${{ secrets.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA,SAST" + + From f3848cb5cfdb74b49b45356ed06aeb219755f7ae Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:57:52 -0600 Subject: [PATCH 042/103] Create synopsys-io.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/synopsys-io.yml | 77 +++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 .github/workflows/synopsys-io.yml diff --git a/.github/workflows/synopsys-io.yml b/.github/workflows/synopsys-io.yml new file mode 100644 index 00000000..7ea2d1fc --- /dev/null +++ b/.github/workflows/synopsys-io.yml @@ -0,0 +1,77 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '17 8 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@9ea442b34409737f64743781e9adc71fd8e17d38 + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@48eedfcd42bc342a294dc495ac452797b2d9ff08 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json From 933a6f4bc8b8f6fdef134b7d14a0bb05a0be28a1 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:58:27 -0600 Subject: [PATCH 043/103] Create sysdig-scan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/sysdig-scan.yml | 62 +++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/sysdig-scan.yml diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml new file mode 100644 index 00000000..5ca71fca --- /dev/null +++ b/.github/workflows/sysdig-scan.yml @@ -0,0 +1,62 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '26 21 * * 5' + +permissions: + contents: read + +jobs: + + build: + + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v3 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} From 72d8651be9f753b051f41e45fd60305e4fab9163 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 08:59:46 -0600 Subject: [PATCH 044/103] Create veracode.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/veracode.yml | 59 ++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/veracode.yml diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml new file mode 100644 index 00000000..3a362da4 --- /dev/null +++ b/.github/workflows/veracode.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '23 20 * * 3' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v4 + with: + repository: '' + + - run: zip -r veracode-scan-target.zip ./ + + # download the Veracode Static Analysis Pipeline scan jar + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v4 + with: + java-version: 8 + distribution: 'temurin' + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip + continue-on-error: true + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif From d3b9747616a6099074074eb5cea58addda300de2 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:00:22 -0600 Subject: [PATCH 045/103] Create xanitizer.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/xanitizer.yml | 100 ++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 .github/workflows/xanitizer.yml diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml new file mode 100644 index 00000000..2ab4cb5c --- /dev/null +++ b/.github/workflows/xanitizer.yml @@ -0,0 +1,100 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '38 12 * * 5' + workflow_dispatch: + +permissions: + contents: read + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v4 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: 11 + distribution: 'temurin' + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v4 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: Xanitizer-Findings-List.sarif From 58366f3db9f8aa76bffc641081ffbabea38deb62 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:00:59 -0600 Subject: [PATCH 046/103] Create zscan.yml Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/zscan.yml | 60 +++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/zscan.yml diff --git a/.github/workflows/zscan.yml b/.github/workflows/zscan.yml new file mode 100644 index 00000000..0c35e171 --- /dev/null +++ b/.github/workflows/zscan.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) +# and identifies security, privacy, and compliance-related vulnerabilities. ​ +# +# Prerequisites: +# * An active Zimperium zScan account is required. If you are not an existing Zimperium +# zScan customer, please request a zSCAN demo by visiting https://www.zimperium.com/contact-us. +# * Either GitHub Advanced Security (GHAS) or a public repository is required to display +# issues and view the remediation information inside of GitHub code scanning alerts.​ +# +# For additional information and setup instructions +# please visit: https://github.com/Zimperium/zScanMarketplace#readme + +name: "Zimperium zScan" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + zscan: + name: zScan + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Execute gradle build + run: ./gradlew build # Change this to build your mobile application + + - name: Run Zimperium zScan + uses: zimperium/zscanmarketplace@bfc6670f6648d796098c251ccefcfdb98983174d + timeout-minutes: 60 + with: + # REPLACE: Zimperium Client Environment Name + client_env: env_string + # REPLACE: Zimperium Client ID + client_id: id_string + # REPLACE: Zimperium Client Secret + client_secret: ${{ secrets.ZSCAN_CLIENT_SECRET }} + # REPLACE: The path to an .ipa or .apk + app_file: app-release-unsigned.apk + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: Zimperium.sarif From 652ace6aa3bd9dc4b79919e1e6e6ce538a2feb67 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:01:38 -0600 Subject: [PATCH 047/103] Create anchore-syft.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/anchore-syft.yml | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/anchore-syft.yml diff --git a/.github/workflows/anchore-syft.yml b/.github/workflows/anchore-syft.yml new file mode 100644 index 00000000..85249e2c --- /dev/null +++ b/.github/workflows/anchore-syft.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft +name: Anchore Syft SBOM scan + +on: + push: + branches: [ "main" ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true From a34ce11534d2f4bebb4a3a4e78bcb9fe4372e300 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:02:24 -0600 Subject: [PATCH 048/103] Create anchore.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/anchore.yml | 48 +++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/anchore.yml diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml new file mode 100644 index 00000000..8719e75f --- /dev/null +++ b/.github/workflows/anchore.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Grype vulnerability scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '31 18 * * 4' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Check out the code + uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan + with: + image: "localbuild/testimage:latest" + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} From 715011498ef5747f643d91eebc205b8510417088 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:03:19 -0600 Subject: [PATCH 049/103] Create bandit.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/bandit.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 00000000..ecb1f200 --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Bandit is a security linter designed to find common security issues in Python code. +# This action will run Bandit on your codebase. +# The results of the scan will be found under the Security tab of your repository. + +# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname +# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA + +name: Bandit +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '41 2 * * 1' + +jobs: + bandit: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Bandit Scan + uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd + with: # optional arguments + # exit with 0, even with results found + exit_zero: true # optional, default is DEFAULT + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. + # File or directory to run bandit on + # path: # optional, default is . + # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # level: # optional, default is UNDEFINED + # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # confidence: # optional, default is UNDEFINED + # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) + # excluded_paths: # optional, default is DEFAULT + # comma-separated list of test IDs to skip + # skips: # optional, default is DEFAULT + # path to a .bandit file that supplies command line arguments + # ini_path: # optional, default is DEFAULT + From bdd8da2abd246c1f3ec3a8cbbe919c2bb5818d6f Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:03:59 -0600 Subject: [PATCH 050/103] Create brakeman.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/brakeman.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/brakeman.yml diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml new file mode 100644 index 00000000..7074345d --- /dev/null +++ b/.github/workflows/brakeman.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '30 22 * * 5' + +permissions: + contents: read + +jobs: + brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v4 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: output.sarif.json From 4ff9640c4af2bde1424446dba76d60990ca87886 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:04:59 -0600 Subject: [PATCH 051/103] Create clj-holmes.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/clj-holmes.yml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/clj-holmes.yml diff --git a/.github/workflows/clj-holmes.yml b/.github/workflows/clj-holmes.yml new file mode 100644 index 00000000..7180fabf --- /dev/null +++ b/.github/workflows/clj-holmes.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '15 10 * * 0' + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@200d2d03900917d7eb3c24fc691ab83579a87fcb + with: + # rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + wait-for-processing: true From a62f97bb76d03f97979c9076042ffd6d89946d06 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:05:43 -0600 Subject: [PATCH 052/103] Create snyk-infrastructure.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/snyk-infrastructure.yml | 54 +++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/snyk-infrastructure.yml diff --git a/.github/workflows/snyk-infrastructure.yml b/.github/workflows/snyk-infrastructure.yml new file mode 100644 index 00000000..d8ead9fb --- /dev/null +++ b/.github/workflows/snyk-infrastructure.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '16 18 * * 6' + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif From 6984c1c22c9f88a65be386cd21bde76c6c061747 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:08:30 -0600 Subject: [PATCH 053/103] Create cloudrail.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/cloudrail.yml | 58 +++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/cloudrail.yml diff --git a/.github/workflows/cloudrail.yml b/.github/workflows/cloudrail.yml new file mode 100644 index 00000000..a4654584 --- /dev/null +++ b/.github/workflows/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Cloudrail + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '45 9 * * 4' + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v4 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif From f7a6546184df912e7d6c0270dea6f4c31b447b34 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:09:26 -0600 Subject: [PATCH 054/103] Create codescan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/codescan.yml | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/codescan.yml diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml new file mode 100644 index 00000000..a3a7e653 --- /dev/null +++ b/.github/workflows/codescan.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '41 3 * * 1' + +permissions: + contents: read + +jobs: + CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Cache files + uses: actions/cache@v3 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: codescan.sarif From 2a4dbb16df64fe1eb3e6fda9a9cd159122fb6a83 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:10:06 -0600 Subject: [PATCH 055/103] Create credo.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/credo.yml | 61 +++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/credo.yml diff --git a/.github/workflows/credo.yml b/.github/workflows/credo.yml new file mode 100644 index 00000000..1bcec302 --- /dev/null +++ b/.github/workflows/credo.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + + +# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency. +# https://github.com/rrrene/credo +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: Credo + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 5 * * 5' + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + otp: [version] + elixir: [version] + steps: + - uses: actions/checkout@v4 + - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f + with: + otp-version: ${{matrix.otp}} + elixir-version: ${{matrix.elixir}} + - name: get dependencies + run: mix deps.get + - name: compile dependencies + run: mix deps.compile + - name: compile + run: mix compile + - name: credo-scan + run: mix credo --format=sarif > credo_output.sarif + - name: upload sarif + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: credo_output.sarif From 88d002b8a09b4924e375c083e556bb02e8a7460a Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:10:58 -0600 Subject: [PATCH 056/103] Create crunch42.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/crunch42.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/crunch42.yml diff --git a/.github/workflows/crunch42.yml b/.github/workflows/crunch42.yml new file mode 100644 index 00000000..8a3689bf --- /dev/null +++ b/.github/workflows/crunch42.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 300+ security checks on them using 42Crunch Security Audit technology to uncover +# potential vulnerabilities related to authentication, authorization as well as data validation. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you need a 42Crunch platform account. If you do not have one, you can contact us +# from this page: https://42crunch.com/request-demo. +# +# 1. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 2. Create an secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# and store the 42Crunch API Token in that secret. Expected default is API_TOKEN (see the api-token property in the task). +# +# If you have any questions or need help, open an issue at: https://support.42crunch.com. + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '28 14 * * 3' + +permissions: + contents: read + +jobs: + rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} From ed10230ef6d6195a78078de6e1704e5a970a46ce Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:11:35 -0600 Subject: [PATCH 057/103] Create datree.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/datree.yml | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/datree.yml diff --git a/.github/workflows/datree.yml b/.github/workflows/datree.yml new file mode 100644 index 00000000..539626ae --- /dev/null +++ b/.github/workflows/datree.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +permissions: + contents: read + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run Datree policy check + continue-on-error: true + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: datree.sarif From 8fce1644318caf6d54f2306351ee03eca4457c53 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:12:29 -0600 Subject: [PATCH 058/103] Create defender-for-devops.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/defender-for-devops.yml | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/defender-for-devops.yml diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml new file mode 100644 index 00000000..3b72aa4e --- /dev/null +++ b/.github/workflows/defender-for-devops.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '17 17 * * 5' + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} From c01aeecaa2625f4847990369f47ed041d15abc10 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:13:08 -0600 Subject: [PATCH 059/103] Create detekt.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/detekt.yml | 118 +++++++++++++++++++++++++++++++++++ 1 file changed, 118 insertions(+) create mode 100644 .github/workflows/detekt.yml diff --git a/.github/workflows/detekt.yml b/.github/workflows/detekt.yml new file mode 100644 index 00000000..f3991a60 --- /dev/null +++ b/.github/workflows/detekt.yml @@ -0,0 +1,118 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifying the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 18 * * 1' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v4 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + tagCommit { + oid + } + } + } + } + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) + echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} From 0f01d947497e00953b31dac91416b7d780ec8596 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:14:11 -0600 Subject: [PATCH 060/103] Create eslint.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/eslint.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/eslint.yml diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml new file mode 100644 index 00000000..b40db058 --- /dev/null +++ b/.github/workflows/eslint.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '35 14 * * 4' + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@3.1.0 + + - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true From 0f2885001df9607142bf5cf0ed708639142edfc9 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:16:03 -0600 Subject: [PATCH 061/103] Create flawfinder.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/flawfinder.yml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/flawfinder.yml diff --git a/.github/workflows/flawfinder.yml b/.github/workflows/flawfinder.yml new file mode 100644 index 00000000..630b6b3a --- /dev/null +++ b/.github/workflows/flawfinder.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: flawfinder + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '29 7 * * 5' + +jobs: + flawfinder: + name: Flawfinder + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: flawfinder_scan + uses: david-a-wheeler/flawfinder@8e4a779ad59dbfaee5da586aa9210853b701959c + with: + arguments: '--sarif ./' + output: 'flawfinder_results.sarif' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{github.workspace}}/flawfinder_results.sarif From 5eb840f1854798d70306776e6b415609f4709744 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:17:04 -0600 Subject: [PATCH 062/103] Create frogbot-scan-and-fix.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/frogbot-scan-and-fix.yml | 65 ++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/frogbot-scan-and-fix.yml diff --git a/.github/workflows/frogbot-scan-and-fix.yml b/.github/workflows/frogbot-scan-and-fix.yml new file mode 100644 index 00000000..e5bcd079 --- /dev/null +++ b/.github/workflows/frogbot-scan-and-fix.yml @@ -0,0 +1,65 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Frogbot Scan and Fix does the following: +# Automatically creates pull requests with fixes for vulnerable project dependencies. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot + +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration + +name: "Frogbot Scan and Fix" +on: + push: + branches: [ "main" ] +permissions: + contents: write + pull-requests: write + security-events: write +jobs: + create-fix-pull-requests: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 + env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" From 1c858f84775dbe6bf4ca8a67ceb65335a37e4acb Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:18:17 -0600 Subject: [PATCH 063/103] Create frogbot-scan-pr.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/frogbot-scan-pr.yml | 70 +++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/frogbot-scan-pr.yml diff --git a/.github/workflows/frogbot-scan-pr.yml b/.github/workflows/frogbot-scan-pr.yml new file mode 100644 index 00000000..41a83f5c --- /dev/null +++ b/.github/workflows/frogbot-scan-pr.yml @@ -0,0 +1,70 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Frogbot Scan Pull Request does the following: +# Automatically scans new pull requests for security vulnerabilities. +# Uses JFrog Xray to scan the project. +# Read more about Frogbot here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot + +# Some projects require creating a frogbot-config.yml file. Read more about it here - https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/frogbot-configuration + +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [ opened, synchronize ] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + # Read more here (Install Frogbot Using GitHub Actions): https://docs.jfrog-applications.jfrog.io/jfrog-applications/frogbot/setup-frogbot/setup-frogbot-using-github-actions + environment: frogbot + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + + - uses: jfrog/frogbot@5d9c42c30f1169d8be4ba5510b40e75ffcbbc2a9 # v2.21.2 + env: + # [Mandatory if the two conditions below are met] + # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ secrets.JF_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional] + # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository + # in Artifactory, which proxies https://releases.jfrog.io/artifactory + # The 'frogbot' executable and other tools it needs will be downloaded through this repository. + # JF_RELEASES_REPO: "" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" From 1da1edc5389c20c022339b70574d847ac31eaede Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:19:01 -0600 Subject: [PATCH 064/103] Create hadolint.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/hadolint.yml | 47 ++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/hadolint.yml diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml new file mode 100644 index 00000000..730565dc --- /dev/null +++ b/.github/workflows/hadolint.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '39 9 * * 5' + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run hadolint + uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true From aa736cba79449e130216e5fe80149e6c5f340224 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:20:23 -0600 Subject: [PATCH 065/103] Create jscrambler-code-integrity.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .../workflows/jscrambler-code-integrity.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/jscrambler-code-integrity.yml diff --git a/.github/workflows/jscrambler-code-integrity.yml b/.github/workflows/jscrambler-code-integrity.yml new file mode 100644 index 00000000..893d5bfb --- /dev/null +++ b/.github/workflows/jscrambler-code-integrity.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Jscrambler Code Integrity Action. +# It automates the protection of your JavaScript Applications, so you can run it whenever a new version of your application is built. +# A Jscrambler account is required to use this Workflow. +# +# More info can be found here : https://docs.jscrambler.com/latest/code-integrity/documentation/github-ci-integration + +name: Jscrambler Code Integrity + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 20 + - run: npm ci + - run: npm run build + - name: Jscrambler Code Integrity + id: jscrambler + # the complete list of inputs can be found here: https://github.com/marketplace/actions/jscrambler#inputs + uses: jscrambler/code-integrity-actions/protect@ab65962a2ecffcc362b75a997e24a181d0bde5fb + with: + application-id: ${{ secrets.JSCRAMBLER_APPLICATION_ID }} # This value should be created within your Jscrambler account + secret-key: ${{ secrets.JSCRAMBLER_SECRET_KEY }} # This value can be found in your Jscrambler account + access-key: ${{ secrets.JSCRAMBLER_ACCESS_KEY }} # This value can be found in your Jscrambler account + jscrambler-config-path: jscrambler.json # Download from your Jscrambler account + files-src: | # List of Files to be protected + dist/**/* + files-dest: . From 0ed066b35ee8460e9b96edd9aca6b1b39cce46a0 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:21:16 -0600 Subject: [PATCH 066/103] Create kubesec.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/kubesec.yml | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/kubesec.yml diff --git a/.github/workflows/kubesec.yml b/.github/workflows/kubesec.yml new file mode 100644 index 00000000..b5620b7b --- /dev/null +++ b/.github/workflows/kubesec.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '37 15 * * 6' + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: kubesec-results.sarif From 749fe94241def3eaf46045fbada12607cd850940 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:22:01 -0600 Subject: [PATCH 067/103] Create lintr.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/lintr.yml | 55 +++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/lintr.yml diff --git a/.github/workflows/lintr.yml b/.github/workflows/lintr.yml new file mode 100644 index 00000000..1f002d70 --- /dev/null +++ b/.github/workflows/lintr.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# lintr provides static code analysis for R. +# It checks for adherence to a given style, +# identifying syntax errors and possible semantic issues, +# then reports them to you so you can take action. +# More details at https://lintr.r-lib.org/ + +name: lintr + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '19 2 * * 5' + +permissions: + contents: read + +jobs: + lintr: + name: Run lintr scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup R + uses: r-lib/actions/setup-r@4e1feaf90520ec1215d1882fdddfe3411c08e492 + + - name: Setup lintr + uses: r-lib/actions/setup-r-dependencies@4e1feaf90520ec1215d1882fdddfe3411c08e492 + with: + extra-packages: lintr + + - name: Run lintr + run: lintr::sarif_output(lintr::lint_dir("."), "lintr-results.sarif") + shell: Rscript {0} + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: lintr-results.sarif + wait-for-processing: true From 19efcad49b7335e86ad96187ae710face2a23b57 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:23:39 -0600 Subject: [PATCH 068/103] Create msvc.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/msvc.yml | 66 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/msvc.yml diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml new file mode 100644 index 00000000..e470b209 --- /dev/null +++ b/.github/workflows/msvc.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '41 21 * * 3' + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +permissions: + contents: read + +jobs: + analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendedRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v4 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} From 200aae0c99d0ec2de57e365a9aa8d22542bee0d4 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:24:27 -0600 Subject: [PATCH 069/103] Create njsscan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/njsscan.yml | 42 +++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/njsscan.yml diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml new file mode 100644 index 00000000..68f2ed45 --- /dev/null +++ b/.github/workflows/njsscan.yml @@ -0,0 +1,42 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '43 17 * * 2' + +permissions: + contents: read + +jobs: + njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@7237412fdd36af517e2745077cedbf9d6900d711 + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 84f91163d1bb26eb822fd179017867ca0f33c240 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:26:05 -0600 Subject: [PATCH 070/103] Create phpmd.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/phpmd.yml | 57 +++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/phpmd.yml diff --git a/.github/workflows/phpmd.yml b/.github/workflows/phpmd.yml new file mode 100644 index 00000000..3a9cfbb4 --- /dev/null +++ b/.github/workflows/phpmd.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 23 * * 1' + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true From bebd01df495c600dc489647464feac074a7978b0 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:26:43 -0600 Subject: [PATCH 071/103] Create policy-validator-cfn.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/policy-validator-cfn.yml | 98 ++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/policy-validator-cfn.yml diff --git a/.github/workflows/policy-validator-cfn.yml b/.github/workflows/policy-validator-cfn.yml new file mode 100644 index 00000000..1dc8c74b --- /dev/null +++ b/.github/workflows/policy-validator-cfn.yml @@ -0,0 +1,98 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE` +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. +name: Validate AWS IAM policies in CloudFormation templates using Policy Validator +on: + push: + branches: ["main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template. + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH}} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH}} + actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH}} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result for CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/cloudformation-aws-iam-policy-validator@8cadb086bd7cce9ffd5a0bb8051b36f778b556bd #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From acc2b524a5e624e48d491d3dd5f584d3f7fc8e49 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:27:33 -0600 Subject: [PATCH 072/103] Create policy-validator-tf.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/policy-validator-tf.yml | 101 ++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/policy-validator-tf.yml diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml new file mode 100644 index 00000000..28fd3568 --- /dev/null +++ b/.github/workflows/policy-validator-tf.yml @@ -0,0 +1,101 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: ["main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From 1f13f8d4a945b2a35ac9cacdc9810e12a7f39e1e Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:28:43 -0600 Subject: [PATCH 073/103] Create powershell.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/powershell.yml | 49 ++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/powershell.yml diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml new file mode 100644 index 00000000..3a2288f2 --- /dev/null +++ b/.github/workflows/powershell.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '37 15 * * 4' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From ce68c6260de020591f11178308177e1549f8ef55 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:29:44 -0600 Subject: [PATCH 074/103] Create prisma.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/prisma.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/prisma.yml diff --git a/.github/workflows/prisma.yml b/.github/workflows/prisma.yml new file mode 100644 index 00000000..7dad5a18 --- /dev/null +++ b/.github/workflows/prisma.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '28 0 * * 1' + +permissions: + contents: read + +jobs: + prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} From addd75de275082d461031b528c01304df0eba6e2 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:30:30 -0600 Subject: [PATCH 075/103] Create psalm.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/psalm.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/psalm.yml diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml new file mode 100644 index 00000000..e3b28c10 --- /dev/null +++ b/.github/workflows/psalm.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Psalm Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '20 17 * * 5' + +permissions: + contents: read + +jobs: + php-security: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Psalm Security Scan + uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287 + + - name: Upload Security Analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 29eef505a73911b7ed4ee4cdaac9c1e79bbaddca Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:31:16 -0600 Subject: [PATCH 076/103] Create puppet-lint.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/puppet-lint.yml | 55 +++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/puppet-lint.yml diff --git a/.github/workflows/puppet-lint.yml b/.github/workflows/puppet-lint.yml new file mode 100644 index 00000000..a7b35609 --- /dev/null +++ b/.github/workflows/puppet-lint.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '24 7 * * 3' + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Ruby + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true From 001a6b751e0d16239eeaf0282be745570d088748 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:32:06 -0600 Subject: [PATCH 077/103] Create pyre.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/pyre.yml | 46 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/pyre.yml diff --git a/.github/workflows/pyre.yml b/.github/workflows/pyre.yml new file mode 100644 index 00000000..053f88a6 --- /dev/null +++ b/.github/workflows/pyre.yml @@ -0,0 +1,46 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Pyre with GitHub's +# Code Scanning feature. +# +# Pyre is a performant type checker for Python compliant with +# PEP 484. Pyre can analyze codebases with millions of lines +# of code incrementally – providing instantaneous feedback +# to developers as they write code. +# +# See https://pyre-check.org + +name: Pyre + +on: + workflow_dispatch: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + pyre: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - name: Run Pyre + uses: facebook/pyre-action@60697a7858f7cc8470d8cc494a3cf2ad6b06560d + with: + # To customize these inputs: + # See https://github.com/facebook/pyre-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' From 90bfef1e3d64722c5df8797dec4813104e017fb6 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:33:46 -0600 Subject: [PATCH 078/103] Create pysa.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/pysa.yml | 50 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/pysa.yml diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml new file mode 100644 index 00000000..1b9e4b51 --- /dev/null +++ b/.github/workflows/pysa.yml @@ -0,0 +1,50 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Python Static Analyzer (Pysa) with +# GitHub's Code Scanning feature. +# +# Python Static Analyzer (Pysa) is a security-focused static +# analysis tool that tracks flows of data from where they +# originate to where they terminate in a dangerous location. +# +# See https://pyre-check.org/docs/pysa-basics/ + +name: Pysa + +on: + workflow_dispatch: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '39 10 * * 5' + +permissions: + contents: read + +jobs: + pysa: + permissions: + actions: read + contents: read + security-events: write + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: true + + - name: Run Pysa + uses: facebook/pysa-action@f46a63777e59268613bd6e2ff4e29f144ca9e88b + with: + # To customize these inputs: + # See https://github.com/facebook/pysa-action#inputs + repo-directory: './' + requirements-path: 'requirements.txt' + infer-types: true + include-default-sapp-filters: true From 369fc93a0c817819c193266a99a745a7c1c3f451 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:34:38 -0600 Subject: [PATCH 079/103] Create rubocop.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/rubocop.yml | 52 +++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/rubocop.yml diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml new file mode 100644 index 00000000..1330ff98 --- /dev/null +++ b/.github/workflows/rubocop.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '15 23 * * 2' + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: rubocop.sarif From 6323afcba2bf4f7f822247edea328a46cd11d413 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:35:15 -0600 Subject: [PATCH 080/103] Create rust-clippy.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/rust-clippy.yml | 55 +++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/rust-clippy.yml diff --git a/.github/workflows/rust-clippy.yml b/.github/workflows/rust-clippy.yml new file mode 100644 index 00000000..d3fb79e6 --- /dev/null +++ b/.github/workflows/rust-clippy.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '15 20 * * 4' + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true From e93642108a72511f143b64e6e8e73fd83c55fba5 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:36:18 -0600 Subject: [PATCH 081/103] Create scorecard.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/scorecard.yml | 78 +++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..6696e2f8 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,78 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '19 20 * * 3' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 02965dc7452480a774dad2ee92843668a0395185 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:37:54 -0600 Subject: [PATCH 082/103] Create securitycodescan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/securitycodescan.yml | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/securitycodescan.yml diff --git a/.github/workflows/securitycodescan.yml b/.github/workflows/securitycodescan.yml new file mode 100644 index 00000000..16c4b01a --- /dev/null +++ b/.github/workflows/securitycodescan.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '23 21 * * 5' + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + - uses: nuget/setup-nuget@04b0c2b8d1b97922f67eca497d7cf0bf17b8ffe1 + - uses: microsoft/setup-msbuild@v1.0.2 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@f8ff4f2763ed6f229eded80b1f9af82ae7f32a0d + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@cdb3d5e639054395e45bf401cba8688fcaf7a687 + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v3 From fb04a899477573e11e5e7ddf0130ea7eaa35c231 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:42:55 -0600 Subject: [PATCH 083/103] Create snyk-container.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/snyk-container.yml | 55 ++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/snyk-container.yml diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml new file mode 100644 index 00000000..9b185221 --- /dev/null +++ b/.github/workflows/snyk-container.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '28 12 * * 3' + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@14818c4695ecc4045f33c9cee9e795a788711ca4 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif From 96cfa612db55677b50b62580bee009c4342e84c1 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:44:06 -0600 Subject: [PATCH 084/103] Create sobelow.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/sobelow.yml | 41 +++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/sobelow.yml diff --git a/.github/workflows/sobelow.yml b/.github/workflows/sobelow.yml new file mode 100644 index 00000000..65f77ed5 --- /dev/null +++ b/.github/workflows/sobelow.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '19 21 * * 1' + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - id: run-action + uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 + - name: Upload report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From df4d6e2a304b54ebebaf0e9b4fcde2f3707cb0de Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:44:53 -0600 Subject: [PATCH 085/103] Create soos-dast-scan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/soos-dast-scan.yml | 60 ++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/soos-dast-scan.yml diff --git a/.github/workflows/soos-dast-scan.yml b/.github/workflows/soos-dast-scan.yml new file mode 100644 index 00000000..e7727c55 --- /dev/null +++ b/.github/workflows/soos-dast-scan.yml @@ -0,0 +1,60 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# SOOS is the easy-to-integrate and affordable software security solution for your whole team. +# +# Learn more at https://soos.io/ +# +# To use this action, perform the following steps: +# +# 1. Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA, DAST, and SBOM products. +# +# 2. Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate/dast/). Note the "API Credentials" section of this page; the keys you will need for the next step are here. +# +# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. +# +# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token. +# +# Check for the latest version here: https://github.com/marketplace/actions/soos-dast + +name: "SOOS DAST Scan" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + soos: + permissions: + security-events: write # for uploading code scanning alert info + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: SOOS DAST Analysis + runs-on: ubuntu-latest + steps: + - name: Run SOOS DAST Analysis + uses: soos-io/soos-dast-github-action@a7eb40b94c1c81eb76b178ba1befdc21823f86fa + with: + client_id: ${{ secrets.SOOS_CLIENT_ID }} + api_key: ${{ secrets.SOOS_API_KEY }} + project_name: "" + scan_mode: "baseline" + target_url: "https://www.example.com/" + export_format: "Sarif" + export_file_type: "Json" + - name: Find and rename SARIF file since it is unique + run: | + file=$(find . -name "*.sarif.json" | head -n 1) + if [ -n "$file" ]; then + mv "$file" output.sarif.json + echo "Renamed $file to output.sarif.json" + else + echo "No SARIF file found" && exit 1 + fi + - name: Upload SOOS DAST SARIF Report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: output.sarif.json From aa8146d69f9298e244b3d6fd10139873739f691d Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:47:08 -0600 Subject: [PATCH 086/103] Create tfsec.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/tfsec.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/tfsec.yml diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml new file mode 100644 index 00000000..1daab06e --- /dev/null +++ b/.github/workflows/tfsec.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '41 9 * * 5' + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v4 + + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif From fe228193affaf6f55684b2f8d31be46797638445 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:48:08 -0600 Subject: [PATCH 087/103] Create trivy.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..ed4cc922 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '27 23 * * 4' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' From 063b5eea769b67286517b12fa0fd6f8208489dbd Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:49:01 -0600 Subject: [PATCH 088/103] Create Gscaler-iac-scan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/Gscaler-iac-scan.yml | 56 ++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/Gscaler-iac-scan.yml diff --git a/.github/workflows/Gscaler-iac-scan.yml b/.github/workflows/Gscaler-iac-scan.yml new file mode 100644 index 00000000..49993712 --- /dev/null +++ b/.github/workflows/Gscaler-iac-scan.yml @@ -0,0 +1,56 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. + +name: Zscaler IaC Scan +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '30 5 * * 4' + +permissions: + contents: read + +jobs: + zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v4 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 + id : zscaler-iac-scan + with: + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZPC Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From 0995bdfb37673dde2f0772bc6943d9f2daf0412b Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:50:37 -0600 Subject: [PATCH 089/103] Create -Gscaler-iac-scan.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/-Gscaler-iac-scan.yml | 56 +++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 .github/workflows/-Gscaler-iac-scan.yml diff --git a/.github/workflows/-Gscaler-iac-scan.yml b/.github/workflows/-Gscaler-iac-scan.yml new file mode 100644 index 00000000..5fd8671d --- /dev/null +++ b/.github/workflows/-Gscaler-iac-scan.yml @@ -0,0 +1,56 @@ +#This workflow uses actions that are not certified by GitHub. +#They are provided by a third party and are governed by +#separate terms of service, privacy policy, and support +#documentation. + +#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app, +#which detects security misconfigurations in IaC templates and publishes the findings +#under the code scanning alerts section within the repository. + +#Log into the Zscaler Posture Control(ZPC) Portal to begin the onboarding process. +#Copy the client ID and client secret key generated during the onboarding process and configure. +#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET). + +#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow. +#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation. + +name: Gscaler IaC Scan +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '37 5 * * 6' + +permissions: + contents: read + +jobs: + zscaler-iac-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name : Code Checkout + uses: actions/checkout@v4 + - name : Zscaler IAC Scan + uses : ZscalerCWP/Zscaler-IaC-Action@8d2afb33b10b4bd50e2dc2c932b37c6e70ac1087 + id : zscaler-iac-scan + with: + client_id : ${{ secrets.ZSCANNER_CLIENT_ID }} + client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }} + #This is the user region specified during the onboarding process within the ZPC Admin Portal. + region : 'US' + iac_dir : #Enter the IaC directory path from root. + iac_file : #Enter the IaC file path from root. + output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here. + #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true. + fail_build : #Enter true/false + #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository. + - name: Upload SARIF file + if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }} + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }} From 9013a5a3b79a4f072e989ed8f28519a22030eac5 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:51:34 -0600 Subject: [PATCH 090/103] Update dependabot.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From 880f6c176f4ecbcf5fb54ebdbf94c972e1085cd2 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:52:07 -0600 Subject: [PATCH 091/103] Update dependabot.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera From 4fd6bad603bf5b32dfbff25332611a570aebdb60 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 09:56:51 -0600 Subject: [PATCH 092/103] Update codeql.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/codeql.yml | 34 +++------------------------------- 1 file changed, 3 insertions(+), 31 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index dca662d2..5ea82739 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,15 +1,4 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" +name "CodeQL Advanced" on: push: @@ -58,30 +47,13 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. +. - name: Initialize CodeQL uses: github/codeql-action/init@v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. + # ℹ️ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - name: Run manual build steps From 9ee356eff957e9d69b392be40a2379f6de7a3eb4 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:02:06 -0600 Subject: [PATCH 093/103] Create Sintaxis.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- Sintaxis.yml | 631 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 631 insertions(+) create mode 100644 Sintaxis.yml diff --git a/Sintaxis.yml b/Sintaxis.yml new file mode 100644 index 00000000..3534494f --- /dev/null +++ b/Sintaxis.yml @@ -0,0 +1,631 @@ +Documentación de GitHub +Acciones de GitHub /Referencia /Flujos de trabajo y acciones /Sintaxis de metadatos +Referencia de sintaxis de metadatos +Puedes crear acciones para realizar tareas en tu repositorio. Si creas una acción personalizada, necesitarás un archivo de metadatos con sintaxis YAML. + +En este artículo +Nota + +Puedes crear contenedores Docker, JavaScript y acciones compuestas. Las acciones requieren un archivo de metadatos para definir las entradas, salidas y la configuración de ejecución de tu acción. Los archivos de metadatos de acción utilizan la sintaxis YAML, y el nombre del archivo de metadatos debe ser action.ymlo action.yaml. El formato preferido es action.yml. + +name +Obligatorio El nombre de tu acción. GitHub lo muestra nameen la pestaña Acciones para ayudar a identificar visualmente las acciones en cada trabajo. + +author +Opcional: El nombre del autor de la acción. + +description +Se requiere una breve descripción de la acción. + +inputs +Los parámetros de entrada opcionales permiten especificar los datos que la acción espera utilizar durante la ejecución. GitHub almacena los parámetros de entrada como variables de entorno. Recomendamos usar identificadores de entrada en minúsculas. + +Ejemplo: Especificación de entradas +Este ejemplo configura dos entradas: num-octocatsy octocat-eye-color. La num-octocatsentrada no es obligatoria y tomará por defecto un valor de 1. octocat-eye-colores obligatoria y no tiene valor por defecto. + +Nota + +Las acciones que utilizan required: trueno devolverán automáticamente un error si no se especifica la entrada. + +Los archivos de flujo de trabajo que utilizan esta acción pueden usar la withpalabra clave para establecer un valor de entrada para octocat-eye-color. Para obtener más información sobre la withsintaxis, consulte Sintaxis de flujo de trabajo para GitHub Actions . + +inputs: + num-octocats: + description: 'Number of Octocats' + required: false + default: '1' + octocat-eye-color: + description: 'Eye color of the Octocats' + required: true +Cuando especificas una entrada, GitHub crea una variable de entorno para la entrada con el nombre INPUT_. La variable de entorno creada convierte los nombres de entrada a letras mayúsculas y reemplaza los espacios con _caracteres. + +Si la acción se escribe usando un componente compuesto , no se obtendrá automáticamente INPUT_. Con las acciones compuestas, puede usar inputs la referencia Contextos para acceder a las entradas de la acción. + +Para acceder a la variable de entorno en una acción de contenedor Docker, debe pasar la entrada utilizando la argspalabra clave en el archivo de metadatos de la acción. Para obtener más información sobre el archivo de metadatos de la acción para acciones de contenedor Docker, consulte Creación de una acción de contenedor Docker . + +Por ejemplo, si un flujo de trabajo definiera las entradas num-octocatsy octocat-eye-color, el código de acción podría leer los valores de las entradas utilizando las variables de entorno INPUT_NUM-OCTOCATSy .INPUT_OCTOCAT-EYE-COLOR + +inputs. +Se requiere un stringidentificador para asociar con la entrada. El valor de es un mapa de los metadatos de la entrada. Debe ser un identificador único dentro del inputsobjeto. Debe comenzar con una letra o _y contener solo caracteres alfanuméricos, -, o _. + +inputs..description +Se requiere una stringdescripción del parámetro de entrada. + +inputs..required +Opcional A booleanpara indicar si la acción requiere el parámetro de entrada. Establecer en verdadero truecuando el parámetro sea obligatorio. + +inputs..default +Opcional A stringque representa el valor predeterminado. El valor predeterminado se utiliza cuando no se especifica un parámetro de entrada en un archivo de flujo de trabajo. + +inputs..deprecationMessage +Opcional. Si se utiliza el parámetro de entrada, stringse registra como un mensaje de advertencia. Puede usar esta advertencia para notificar a los usuarios que la entrada se está cerrando y mencionar las alternativas disponibles. + +outputspara acciones de contenedores Docker y JavaScript +Los parámetros de salida opcionales permiten declarar los datos que establece una acción. Las acciones que se ejecutan posteriormente en un flujo de trabajo pueden utilizar el conjunto de datos de salida en acciones ejecutadas previamente. Por ejemplo, si una acción realiza la suma de dos entradas (x + y = z), podría generar la suma (z) para que otras acciones la utilicen como entrada. + +Cada trabajo puede tener un tamaño máximo de 1 MB. El tamaño total de todos los archivos generados durante la ejecución de un flujo de trabajo puede ser de hasta 50 MB. El tamaño se calcula de forma aproximada utilizando la codificación UTF-16. + +Si no declaras una salida en el archivo de metadatos de tu acción, aún puedes configurar salidas y usarlas en un flujo de trabajo. Para obtener más información sobre cómo configurar salidas en una acción, consulta Comandos de flujo de trabajo para GitHub Actions . + +Ejemplo: Declaración de salidas para acciones de contenedores Docker y JavaScript +outputs: + sum: # id of the output + description: 'The sum of the inputs' +outputs. +Se requiere un stringidentificador para asociar con la salida. El valor de es un mapa de los metadatos de la salida. Debe ser un identificador único dentro del outputsobjeto. Debe comenzar con una letra o _y contener solo caracteres alfanuméricos, -, o _. + +outputs..description +Se requiere una stringdescripción del parámetro de salida. + +outputspara acciones compuestas +Opcionalmente, outputs utilice los mismos parámetros que outputs.y outputs..description(consulte outputspara acciones de contenedores Docker y JavaScript ), pero también incluye el valuetoken. + +Cada trabajo puede tener un tamaño máximo de 1 MB. El tamaño total de todos los archivos generados durante la ejecución de un flujo de trabajo puede ser de hasta 50 MB. El tamaño se calcula de forma aproximada utilizando la codificación UTF-16. + +Ejemplo: Declarar resultados para acciones compuestas +outputs: + random-number: + description: "Random number" + value: ${{ steps.random-number-generator.outputs.random-id }} +runs: + using: "composite" + steps: + - id: random-number-generator + run: echo "random-id=$(echo $RANDOM)" >> $GITHUB_OUTPUT + shell: bash +outputs..value +Obligatorio El valor al que se asignará el parámetro de salida. Puede establecerlo en un valor stringo una expresión con contexto. Por ejemplo, puede usar el stepscontexto para establecer el valor valuede una salida al valor de salida de un paso. + +Para obtener más información sobre cómo usar la sintaxis de contexto, consulte la referencia de Contextos . + +runs +Obligatorio. Especifica si se trata de una acción de JavaScript, una acción compuesta o una acción de contenedor Docker, y cómo se ejecuta la acción. + +runspara acciones de JavaScript +Requerido. Configura la ruta al código de la acción y el entorno de ejecución utilizado para ejecutar el código. + +Ejemplo: Uso de Node.js v24 +runs: + using: 'node24' + main: 'main.js' +runs.usingpara acciones de JavaScript +Obligatorio El entorno de ejecución utilizado para ejecutar el código especificado en main. + +Para usar node20con Node.js v20. +Utilizar node24para Node.js v24. +runs.main +Obligatorio El archivo que contiene el código de tu acción. El entorno de ejecución especificado en usingejecuta este archivo. + +runs.pre +Opcional Permite ejecutar un script al inicio de un trabajo, antes de que main:comience la acción. Por ejemplo, puede usarlo pre:para ejecutar un script de configuración de requisitos previos. El entorno de ejecución especificado con la usingsintaxis ejecutará este archivo. La pre:acción siempre se ejecuta de forma predeterminada, pero puede anular esto usando runs.pre-if. + +Nota + +runs.preNo se admiten acciones locales. + +En este ejemplo, la pre:acción ejecuta un script llamado setup.js: + +runs: + using: 'node24' + pre: 'setup.js' + main: 'index.js' + post: 'cleanup.js' +runs.pre-if +Opcional Permite definir condiciones para la pre:ejecución de la acción. La pre:acción solo se ejecutará si pre-ifse cumplen las condiciones. Si no se establece, se pre-ifutiliza el valor predeterminado always(). En pre-if, las funciones de comprobación de estado se evalúan en función del estado del trabajo, no del estado de la acción. + +Tenga en cuenta que el stepcontexto no está disponible, ya que aún no se ha ejecutado ningún paso. + +En este ejemplo, cleanup.jssolo se ejecuta en sistemas basados ​​en Linux: + + pre: 'cleanup.js' + pre-if: runner.os == 'linux' +runs.post +Opcional. Permite ejecutar un script al finalizar una tarea, una vez main:completada la acción. Por ejemplo, se puede usar post:para terminar ciertos procesos o eliminar archivos innecesarios. El entorno de ejecución especificado con la usingsintaxis ejecutará este archivo. + +En este ejemplo, la post:acción ejecuta un script llamado cleanup.js: + +runs: + using: 'node24' + main: 'index.js' + post: 'cleanup.js' +La post:acción siempre se ejecuta por defecto, pero puede anular esto usando post-if. + +runs.post-if +Opcional Permite definir condiciones para la post:ejecución de la acción. La post:acción solo se ejecutará si post-ifse cumplen las condiciones. Si no se establece, se post-ifutiliza el valor predeterminado always(). En post-if, las funciones de comprobación de estado se evalúan en función del estado del trabajo, no del estado de la acción. + +Por ejemplo, esto cleanup.jssolo funcionará en sistemas operativos basados ​​en Linux: + + post: 'cleanup.js' + post-if: runner.os == 'linux' +runspara acciones compuestas +Obligatorio Configura la ruta a la acción compuesta. + +runs.usingpara acciones compuestas +Obligatorio Debe establecer este valor en 'composite'. + +runs.steps +Obligatorio Los pasos que planea ejecutar en esta acción. Estos pueden ser runpasos o usespasos. + +runs.steps[*].run +Opcional. El comando que desea ejecutar. Puede ser un comando en línea o un script en su repositorio de acciones: + +runs: + using: "composite" + steps: + - run: ${{ github.action_path }}/test/script.sh + shell: bash +Alternativamente, puede utilizar $GITHUB_ACTION_PATH: + +runs: + using: "composite" + steps: + - run: $GITHUB_ACTION_PATH/script.sh + shell: bash +Para obtener más información, consulte la referencia Contextos . + +runs.steps[*].shell +Opcional. El intérprete de comandos donde desea ejecutar el comando. Puede usar cualquiera de los intérpretes de comandos que aparecen en la sintaxis de flujo de trabajo para GitHub Actions . Obligatorio si runestá configurado. + +runs.steps[*].if +Opcional: Puede usar la ifcondición para evitar que un paso se ejecute a menos que se cumpla una condición. Puede usar cualquier contexto y expresión compatibles para crear una condición. + +Al usar expresiones en una ifcondición, opcionalmente puedes omitir la ${{ }}sintaxis de la expresión, ya que GitHub Actions la evalúa automáticamente ifcomo una expresión. Sin embargo, esta excepción no se aplica en todos los casos. + +Siempre debe usar la ${{ }}sintaxis de expresión o escapar con '', "", o ()cuando la expresión comience con !, ya que !es una notación reservada en el formato YAML. Por ejemplo: + +if: ${{ ! startsWith(github.ref, 'refs/tags/') }} +Para obtener más información, consulte Evaluar expresiones en flujos de trabajo y acciones . + +Ejemplo: Uso de contextos + +Este paso solo se ejecuta cuando el tipo de evento es a pull_requesty la acción del evento es unassigned. + +steps: + - run: echo This event is a pull request that had an assignee removed. + if: ${{ github.event_name == 'pull_request' && github.event.action == 'unassigned' }} +Ejemplo: Uso de funciones de comprobación de estado + +Solo my backup stepse ejecuta cuando falla el paso anterior de una acción compuesta. Para obtener más información, consulte Evaluar expresiones en flujos de trabajo y acciones . + +steps: + - name: My first step + uses: octo-org/action-name@main + - name: My backup step + if: ${{ failure() }} + uses: actions/heroku@1.0.0 +runs.steps[*].name +Opcional. El nombre del paso compuesto. + +runs.steps[*].id +Opcional. Un identificador único para el paso. Puede usarlo idpara hacer referencia al paso en contextos. Para obtener más información, consulte la referencia de contextos . + +runs.steps[*].env +Opcional. Establece un conjunto mapde variables de entorno solo para ese paso. Si desea modificar la variable de entorno almacenada en el flujo de trabajo, úsela echo "{name}={value}" >> $GITHUB_ENVen un paso compuesto. + +runs.steps[*].working-directory +Opcional. Especifica el directorio de trabajo donde se ejecuta el comando. + +runs.steps[*].uses +Opcional. Selecciona una acción para ejecutar como parte de un paso en tu trabajo. Una acción es una unidad de código reutilizable. Puedes usar una acción definida en el mismo repositorio que el flujo de trabajo, en un repositorio público o en una imagen de contenedor Docker publicada . + +Recomendamos encarecidamente que incluya la versión de la acción que está utilizando, especificando una referencia de Git, un SHA o un número de etiqueta de Docker. Si no especifica una versión, podría interrumpir sus flujos de trabajo o provocar un comportamiento inesperado cuando el responsable de la acción publique una actualización. + +Utilizar el SHA de confirmación de una versión de acción publicada es la opción más segura en términos de estabilidad y seguridad. +Utilizar la versión específica de la acción principal le permite recibir correcciones críticas y parches de seguridad sin comprometer la compatibilidad. Además, garantiza que su flujo de trabajo siga funcionando correctamente. +Puede resultar conveniente utilizar la rama predeterminada de una acción, pero si alguien lanza una nueva versión principal con un cambio incompatible, su flujo de trabajo podría interrumpirse. +Algunas acciones requieren parámetros que debes configurar mediante la withpalabra clave. Consulta el archivo README de la acción para determinar los parámetros necesarios. + +runs: + using: "composite" + steps: + # Reference a specific commit + - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 + # Reference the major version of a release + - uses: actions/checkout@v5 + # Reference a specific version + - uses: actions/checkout@v5.2.0 + # Reference a branch + - uses: actions/checkout@main + # References a subdirectory in a public GitHub repository at a specific branch, ref, or SHA + - uses: actions/aws/ec2@main + # References a local action + - uses: ./.github/actions/my-action + # References a docker public registry action + - uses: docker://gcr.io/cloud-builders/gradle + # Reference a docker image published on docker hub + - uses: docker://alpine:3.8 +runs.steps[*].with +Parámetros mapde entrada opcionales definidos por la acción. Cada parámetro de entrada es un par clave/valor. Para más información, consulte Ejemplo: Especificación de entradas . + +runs: + using: "composite" + steps: + - name: My first step + uses: actions/hello_world@main + with: + first_name: Mona + middle_name: The + last_name: Octocat +runs.steps[*].continue-on-error +Opcional. Impide que la acción falle cuando falla un paso. Establézcalo en truepara permitir que la acción se complete cuando falle este paso. + +runspara acciones de contenedores Docker +Requerido. Configura la imagen utilizada para la acción del contenedor Docker. + +Ejemplo: Usar un Dockerfile en tu repositorio +runs: + using: 'docker' + image: 'Dockerfile' +Ejemplo: Uso de un contenedor de registro público de Docker +runs: + using: 'docker' + image: 'docker://debian:stretch-slim' +runs.usingpara acciones de contenedores Docker +Obligatorio Debe establecer este valor en 'docker'. + +runs.pre-entrypoint +Opcional Permite ejecutar un script antes de que entrypointcomience la acción. Por ejemplo, puede usarlo pre-entrypoint:para ejecutar un script de configuración de requisitos previos. GitHub Actions usa docker runpara lanzar esta acción y ejecuta el script dentro de un nuevo contenedor que usa la misma imagen base. Esto significa que el estado de tiempo de ejecución es diferente del entrypointcontenedor principal, y cualquier estado que necesite debe ser accedido en el espacio de trabajo, HOMEo como una STATE_variable. La pre-entrypoint:acción siempre se ejecuta de forma predeterminada, pero puede anular esto usando runs.pre-if. + +El entorno de ejecución especificado con la usingsintaxis ejecutará este archivo. + +En este ejemplo, la pre-entrypoint:acción ejecuta un script llamado setup.sh: + +runs: + using: 'docker' + image: 'Dockerfile' + args: + - 'bzz' + pre-entrypoint: 'setup.sh' + entrypoint: 'main.sh' +runs.image +Se requiere la imagen de Docker que se utilizará como contenedor para ejecutar la acción. El valor puede ser el nombre de la imagen base de Docker, una imagen local Dockerfileen su repositorio o una imagen pública en Docker Hub u otro registro. Para hacer referencia a una Dockerfileimagen local en su repositorio, el archivo debe tener un nombre específico Dockerfiley debe usar una ruta relativa a su archivo de metadatos de acción. La dockeraplicación ejecutará este archivo. + +runs.env +Opcional. Especifica un mapa clave/valor de variables de entorno que se configurarán en el entorno del contenedor. + +runs.entrypoint +Opcional. Sobrescribe el Docker ENTRYPOINTen el Dockerfile, o lo establece si no se especificó ninguno previamente. Úselo entrypointcuando el Dockerfileno especifica un ENTRYPOINTo cuando desea sobrescribir la ENTRYPOINTinstrucción. Si omite , se ejecutarán entrypointlos comandos que especifique en la instrucción Docker . La instrucción Docker tiene una forma de shell y una forma exec . La documentación de Docker recomienda usar la forma exec de la instrucción.ENTRYPOINTENTRYPOINTENTRYPOINTENTRYPOINT + +Para obtener más información sobre cómo entrypointse ejecuta, consulte la compatibilidad de Dockerfile con GitHub Actions . + +runs.post-entrypoint +Opcional Permite ejecutar un script de limpieza una vez que la runs.entrypointacción haya finalizado. GitHub Actions utiliza docker runpara lanzar esta acción. Debido a que GitHub Actions ejecuta el script dentro de un nuevo contenedor utilizando la misma imagen base, el estado de tiempo de ejecución es diferente del entrypointcontenedor principal. Puede acceder a cualquier estado que necesite en el espacio de trabajo, HOMEo como una STATE_variable. La post-entrypoint:acción siempre se ejecuta de forma predeterminada, pero puede anular esto utilizando runs.post-if. + +runs: + using: 'docker' + image: 'Dockerfile' + args: + - 'bzz' + entrypoint: 'main.sh' + post-entrypoint: 'cleanup.sh' +runs.args +Opcional. Un array de cadenas que definen las entradas para un contenedor Docker. Las entradas pueden incluir cadenas codificadas. GitHub pasa esta información argsal contenedor ENTRYPOINTcuando este se inicia. + +Se argsutilizan en lugar de la CMDinstrucción en un Dockerfile. Si utiliza CMDen su Dockerfile, utilice las pautas ordenadas por preferencia: + +Documente los argumentos necesarios en el archivo README de la acción y omítalos en las CMDinstrucciones. +Utilice valores predeterminados que permitan usar la acción sin especificar ninguno args. +Si la acción expone una --helpbandera, o algo similar, utilícela para que su acción se autodocumente. +Si necesitas pasar variables de entorno a una acción, asegúrate de que tu acción ejecute un intérprete de comandos para realizar la sustitución de variables. Por ejemplo, si tu entrypointatributo está configurado como "sh -c", argsse ejecutará en un intérprete de comandos. Alternativamente, si tu Dockerfileusa un ENTRYPOINTpara ejecutar el mismo comando ( "sh -c"), argsse ejecutará en un intérprete de comandos. + +Para obtener más información sobre cómo usar esta CMDinstrucción con GitHub Actions, consulte la sección "Compatibilidad de Dockerfile con GitHub Actions" . + +Ejemplo: Definición de argumentos para el contenedor Docker +runs: + using: 'docker' + image: 'Dockerfile' + args: + - ${{ inputs.greeting }} + - 'foo' + - 'bar' +branding +Opcional: Puedes usar un color y un icono de pluma para crear una insignia que personalice y distinga tu acción. Las insignias se muestran junto al nombre de tu acción en GitHub Marketplace . + +Ejemplo: Configurar la marca para una acción +branding: + icon: 'award' + color: 'green' +branding.color +El color de fondo de la insignia. Puede ser uno de los siguientes: white, black, yellow, blue, green, orange, red, purple, o gray-dark. + +branding.icon +El nombre del icono Feather de la versión 4.28.0 que se utilizará. + +Iconos omitidos +Se omiten los iconos de marca y todos los iconos siguientes. + +café +columnas +círculo divisor +dividir cuadrado +dividir +fruncir el ceño +hexágono +llave +meh +puntero del ratón +sonrisa +herramienta +octágono x +Lista exhaustiva de todos los iconos compatibles actualmente. +actividad +salida en antena +círculo de alerta +octágono de alerta +triángulo de alerta +alinear-centro +alinear-justificar +alinear a la izquierda +alinear a la derecha +ancla +abertura +archivo +círculo con flecha hacia abajo +flecha-abajo-izquierda +flecha-abajo-derecha +flecha hacia abajo +flecha-izquierda-círculo +flecha izquierda +círculo-derecha-flecha +flecha derecha +círculo con flecha hacia arriba +flecha-arriba-izquierda +flecha hacia arriba a la derecha +flecha hacia arriba +signo de arroba +otorgar +gráfico de barras-2 +gráfico de barras +carga de la batería +batería +campana apagada +campana +Bluetooth +atrevido +libro abierto +libro +marcador +caja +maletín +calendario +cámara apagada +cámara +elenco +círculo de verificación +cuadrado de control +controlar +chevron-down +chevrón-izquierda +chevrón-derecha +chevron hacia arriba +chevrones hacia abajo +galones-izquierda +galones-derecha +chevrones hacia arriba +círculo +portapapeles +reloj +llovizna de nubes +relámpagos de nube +nube apagada +nube-lluvia +nube-nieve +nube +código +dominio +brújula +Copiar +esquina inferior izquierda +esquina inferior derecha +esquina izquierda abajo +esquina izquierda arriba +esquina derecha abajo +esquina derecha arriba +esquina superior izquierda +esquina superior derecha +UPC +tarjeta de crédito +cultivo +mira +base de datos +borrar +desct +signo de dólar +descarga en la nube +descargar +gotita +edición-2 +edición-3 +editar +enlace externo +ojo fuera +ojo +avance rápido +pluma +archivo menos +archivo-plus +texto del archivo +archivo +película +filtrar +bandera +carpeta-menos +carpeta-plus +carpeta +regalo +rama git +git-commit +git-merge +git-pull-request +globo +red +disco duro +picadillo +auriculares +corazón +círculo de ayuda +hogar +imagen +bandeja de entrada +información +itálico +capas +disposición +boya salvavidas +enlace-2 +enlace +lista +cargador +cerrar +acceso +cerrar sesión +correo +marcador del mapa +mapa +maximizar-2 +maximizar +menú +círculo de mensajes +cuadrado de mensaje +micrófono apagado +micrófono +minimizar-2 +minimizar +círculo negativo +menos cuadrado +menos +monitor +luna +más horizontal +más vertical +mover +música +navegación-2 +navegación +octágono +paquete +clip de papel +círculo de pausa +pausa +por ciento +llamada telefónica +desvío de llamadas +llamadas entrantes +teléfono perdido +teléfono apagado +teléfono saliente +teléfono +gráfico circular +círculo de juego +jugar +círculo más +cuadrado más +más +bolsillo +fuerza +impresora +radio +actualizar-ccw +actualizar-cw +repetir +rebobinar +girar en sentido antihorario +girar-cw +rss +ahorrar +tijeras +buscar +enviar +servidor +ajustes +compartir-2 +compartir +escudo desactivado +blindaje +bolsa de compras +carro de la compra +barajar +barra lateral +retroceder +saltar hacia adelante +barra oblicua +deslizadores +teléfono inteligente +vocero +cuadrado +estrella +círculo de parada +sol +amanecer +atardecer +mesa +tableta +etiqueta +objetivo +Terminal +termómetro +pulgar hacia abajo +Pulgares hacia arriba +alternar izquierda +alternar a la derecha +basura-2 +basura +tendencia a la baja +tendencia al alza +triángulo +camión +televisor +tipo +paraguas +subrayar +descubrir +subir-nube +subir +comprobación de usuario +usuario menos +usuario-plus +usuario-x +usuario +usuarios +vídeo apagado +video +buzón de voz +volumen 1 +volumen 2 +volumen-x +volumen +mirar +wifi desactivado +wifi +viento +círculo x +x-cuadrado +incógnita +desconexión rápida +borrar +acercar +alejar la imagen +Cambiar el nombre del archivo de metadatos +Si bien el archivo de metadatos de acciones admite ambos formatos YAML, cambiar el nombre del archivo de metadatos (de action.ymla action.yamlo viceversa) entre versiones afectará a las versiones anteriores publicadas en GitHub Marketplace. Al cambiar el nombre del archivo, se ocultarán de GitHub Marketplace todas las versiones asociadas con el nombre anterior. Las versiones anteriores seguirán estando disponibles para los usuarios a través del repositorio de código fuente. + +Al lanzar nuevas versiones de acciones, solo las versiones publicadas después del cambio de nombre del archivo de metadatos tendrán la etiqueta de GitHub Marketplace y aparecerán en GitHub Marketplace. From a6cdf532837aec04fe7559ca62471ae452f0cf07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 16:08:51 +0000 Subject: [PATCH 094/103] chore(deps): bump com.google.oauth-client:google-oauth-client-jetty Bumps [com.google.oauth-client:google-oauth-client-jetty](https://github.com/googleapis/google-oauth-java-client) from 1.34.1 to 1.39.0. - [Release notes](https://github.com/googleapis/google-oauth-java-client/releases) - [Changelog](https://github.com/googleapis/google-oauth-java-client/blob/main/CHANGELOG.md) - [Commits](https://github.com/googleapis/google-oauth-java-client/compare/v1.34.1...v1.39.0) --- updated-dependencies: - dependency-name: com.google.oauth-client:google-oauth-client-jetty dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- tasks/quickstart/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/quickstart/build.gradle b/tasks/quickstart/build.gradle index 2ae5b7d2..e6216b6c 100644 --- a/tasks/quickstart/build.gradle +++ b/tasks/quickstart/build.gradle @@ -12,6 +12,6 @@ repositories { dependencies { implementation 'com.google.api-client:google-api-client:2.0.0' - implementation 'com.google.oauth-client:google-oauth-client-jetty:1.34.1' + implementation 'com.google.oauth-client:google-oauth-client-jetty:1.39.0' implementation 'com.google.apis:google-api-services-tasks:v1-rev20210709-2.0.0' } \ No newline at end of file From 4502da12ade5cd4b17cc90604fe709cbcb3f1e14 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:09:19 -0600 Subject: [PATCH 095/103] Delete .github/workflows/codeql.yml Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- .github/workflows/codeql.yml | 73 ------------------------------------ 1 file changed, 73 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 5ea82739..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,73 +0,0 @@ -name "CodeQL Advanced" - -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - schedule: - - cron: '19 1 * * 3' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - include: - - language: actions - build-mode: none - - language: java-kotlin - build-mode: none # This mode only analyzes Java. Set this to 'autobuild' or 'manual' to analyze Kotlin too. - # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 -. - - name: Initialize CodeQL - uses: github/codeql-action/init@v4 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - name: Run manual build steps - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 - with: - category: "/language:${{matrix.language}}" From 71efc680c64b4eb81f5878da6031db85eba89258 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 16:12:02 +0000 Subject: [PATCH 096/103] chore(deps): bump com.google.oauth-client:google-oauth-client-jetty Bumps [com.google.oauth-client:google-oauth-client-jetty](https://github.com/googleapis/google-oauth-java-client) from 1.34.1 to 1.39.0. - [Release notes](https://github.com/googleapis/google-oauth-java-client/releases) - [Changelog](https://github.com/googleapis/google-oauth-java-client/blob/main/CHANGELOG.md) - [Commits](https://github.com/googleapis/google-oauth-java-client/compare/v1.34.1...v1.39.0) --- updated-dependencies: - dependency-name: com.google.oauth-client:google-oauth-client-jetty dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- gmail/quickstart/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gmail/quickstart/build.gradle b/gmail/quickstart/build.gradle index ca113827..32dc41ee 100644 --- a/gmail/quickstart/build.gradle +++ b/gmail/quickstart/build.gradle @@ -12,6 +12,6 @@ repositories { dependencies { implementation 'com.google.api-client:google-api-client:2.0.0' - implementation 'com.google.oauth-client:google-oauth-client-jetty:1.34.1' + implementation 'com.google.oauth-client:google-oauth-client-jetty:1.39.0' implementation 'com.google.apis:google-api-services-gmail:v1-rev20220404-2.0.0' } From baba6eeac217f5cb17c59f32a538d3d65072f1fd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 16:12:03 +0000 Subject: [PATCH 097/103] chore(deps): bump com.google.oauth-client:google-oauth-client-jetty Bumps [com.google.oauth-client:google-oauth-client-jetty](https://github.com/googleapis/google-oauth-java-client) from 1.34.1 to 1.39.0. - [Release notes](https://github.com/googleapis/google-oauth-java-client/releases) - [Changelog](https://github.com/googleapis/google-oauth-java-client/blob/main/CHANGELOG.md) - [Commits](https://github.com/googleapis/google-oauth-java-client/compare/v1.34.1...v1.39.0) --- updated-dependencies: - dependency-name: com.google.oauth-client:google-oauth-client-jetty dependency-version: 1.39.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- vault/quickstart/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault/quickstart/build.gradle b/vault/quickstart/build.gradle index d3221860..2a19f0a4 100644 --- a/vault/quickstart/build.gradle +++ b/vault/quickstart/build.gradle @@ -12,6 +12,6 @@ repositories { dependencies { implementation 'com.google.api-client:google-api-client:2.0.0' - implementation 'com.google.oauth-client:google-oauth-client-jetty:1.34.1' + implementation 'com.google.oauth-client:google-oauth-client-jetty:1.39.0' implementation 'com.google.apis:google-api-services-vault:v1-rev20220423-2.0.0' } From 4ec8c13c3a60c449e6a57705828d35173e84730d Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:13:48 -0600 Subject: [PATCH 098/103] Create CodeQL,yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- CodeQL,yml | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 CodeQL,yml diff --git a/CodeQL,yml b/CodeQL,yml new file mode 100644 index 00000000..4ee910ea --- /dev/null +++ b/CodeQL,yml @@ -0,0 +1,70 @@ +Publicación y uso de paquetes de CodeQL +Comparta o descargue un CodeQL paquete y, a continuación, analice la CodeQL base de datos. + +¿Quién puede utilizar esta característica? +CodeQL está disponible para los siguientes tipos de repositorios: + +Repositorios públicos en GitHub.com, consulte Términos y condiciones de CodeQL de GitHub. +Repositorios propiedad de la organización en GitHub Team con GitHub Code Security habilitado +En este artículo +Autenticación en GitHubContainer registries +Puede publicar paquetes y descargar paquetes privados mediante la autenticación en el adecuado GitHubContainer registry. + +Puede autenticarse Container registry de dos maneras: + +Pase la --github-auth-stdin opción a CodeQL CLIy proporcione un GitHub Apps token o personal access token a través de la entrada estándar. +Establezca la variable de entorno GITHUB_TOKEN a un token GitHub Apps o personal access token. +Publicación del CodeQL paquete +Para compartir su paquete de CodeQL con otras personas, puede publicarlo en el Container registry. + +Configuración del archivo qlpack.yml antes de publicarlo +Puede comprobar y modificar los detalles de configuración de su paquete CodeQL antes de publicarlo. Abre el archivo qlpack.yml en su editor de texto preferido. + +library: # set to true if the pack is a library. Set to false or omit for a query pack +name: / +version: +description: +defaultSuite: # optional, one or more queries in the pack to run by default + - query: /query-file>.ql +defaultSuiteFile: default-queries.qls # optional, a pointer to a query-suite in this pack +license: # optional, the license under which the pack is published +dependencies: # map from CodeQL pack name to version range + `name:` debe seguir el formato `/`, donde `` es la organización a la que se publicará y `` es el nombre del paquete. +Se permite un máximo de un elemento defaultSuite o defaultSuiteFile. Estas son dos maneras diferentes de definir un conjunto predeterminado de consultas que se va a ejecutar, la primera de ellas especificando las consultas directamente en el archivo qlpack.yml y la segunda especificando un conjunto de consultas en el paquete. + +En ejecución codeql pack publish +Cuando esté listo para publicar un paquete en GitHubContainer registry, puede ejecutar el siguiente comando en la raíz del directorio del pack: + +codeql pack publish +El paquete publicado se mostrará en la sección de paquetes de la organización de GitHub que especifica el ámbito del archivo qlpack.yml. + +Nota: + +Si va a publicar paquetes de modelos en GitHubContainer registry para ampliar la cobertura a todos los repositorios de una organización como parte de una configuración de configuración predeterminada, debe asegurarse de que los repositorios que ejecutan el análisis de código puedan acceder a esos paquetes de modelos. Para obtener más información, vea Editar la configuración predeterminada y Configurar la visibilidad y el control de accesos de un paquete. + +Descarga de un paquete existente CodeQL +Para ejecutar un paquete que haya creado otra persona, primero debes descargarlo; para ello, ejecuta el comando siguiente: + +codeql pack download /@x.x.x + ``: el nombre de la organización desde la cual descargará. + ``: el nombre del paquete que quiere descargar. + `@x.x.x`: un número de versión opcional. Si se omite, se descargará la versión más reciente. +Este comando acepta argumentos para varios paquetes. + +Si escribe scripts que especifican un número de versión determinado de un paquete de consultas que se va a descargar, tenga en cuenta que, al actualizar la versión de CodeQL a una más reciente, es posible que también tenga que cambiar a una versión más reciente del paquete de consultas. Las versiones más recientes de CodeQL un rendimiento degradado cuando se usan con paquetes de consultas que se han anclado a una versión muy antigua. Para obtener más información, vea Referencia de paquetes de consulta de CodeQL. + +Uso de un CodeQL paquete para analizar una CodeQL base de datos +Para analizar una CodeQL base de datos con un CodeQL paquete, ejecute el siguiente comando: + +codeql database analyze /@x.x.x: + ``: la CodeQL base de datos que se va a analizar. + ``: el nombre de la organización de GitHub en la que se publica el paquete. + ``: el nombre del paquete que está usando. + `@x.x.x`: un número de versión opcional. Si se omite, se usará la versión más reciente. + `:`: una ruta de acceso opcional a una consulta, directorio o conjunto de consultas. Si se omite, se usará el conjunto de consultas predeterminado del paquete. +El comando analyze ejecutará el conjunto predeterminado de cualquier CodeQL paquetes especificados. Puede especificar varios CodeQL paquetes que se usarán para analizar una CodeQL base de datos. Por ejemplo: + +codeql analyze / / +Nota: + +El comando codeql pack download almacena el paquete que descarga en una ubicación interna que no está pensada para la modificación local. Si el paquete se modifica después de la descarga se puede producir un comportamiento inesperado (con problemas difíciles de solucionar). Para obtener más información acerca de la personalización de paquetes, consulte Creación y uso de paquetes de CodeQL. From e7160bd7abed7889df1204711182e772210a8d97 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:15:56 -0600 Subject: [PATCH 099/103] Create Contributing.yml for contribution guidelines Added guidelines for submitting patches and tutorials, including Contributor License Agreements and pull request instructions. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- Contributing.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Contributing.yml diff --git a/Contributing.yml b/Contributing.yml new file mode 100644 index 00000000..cd5ed117 --- /dev/null +++ b/Contributing.yml @@ -0,0 +1,31 @@ +# Contributing: submitting patches and tutorials + +## Submitting a pull request + +### Contributor License Agreements + +We'd love to accept your code patches! However, before we can take them, we +have to jump a couple of legal hurdles. + +Please fill out either the individual or corporate Contributor License +Agreement. + +* If you are an individual writing original source code and you're sure you + own the intellectual property, then sign an [individual CLA](https://developers.google.com/open-source/cla/individual) + . +* If you work for a company that wants to allow you to contribute your work, + then sign a [corporate CLA](https://developers.google.com/open-source/cla/corporate). + +Follow either of the two links above to access the appropriate CLA and +instructions for how to sign and return it. + +1. Sign the contributors license agreement above. +1. Decide which code you want to submit. A submission should be a set of changes + that addresses one issue in the [issue tracker](https://github.com/Google/WebFundamentals/issues). + Please don't mix more than one logical change per submission, because it makes + the history hard to follow. If you want to make a change + (e.g. add a sample or feature) that doesn't have a corresponding issue in the + issue tracker, please create one. +1. **Submitting**: When you are ready to submit, send us a Pull Request. Be + sure to include the issue number you've fixed and the name you used to sign + the CLA. From d614a2b4b6da1d77c7ed64bbc9a1217607100c91 Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:18:02 -0600 Subject: [PATCH 100/103] Create Agreements.yml for contributor guidelines Added Contributor License Agreements section with submission guidelines. @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- Agreements,yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 Agreements,yml diff --git a/Agreements,yml b/Agreements,yml new file mode 100644 index 00000000..cd5ed117 --- /dev/null +++ b/Agreements,yml @@ -0,0 +1,31 @@ +# Contributing: submitting patches and tutorials + +## Submitting a pull request + +### Contributor License Agreements + +We'd love to accept your code patches! However, before we can take them, we +have to jump a couple of legal hurdles. + +Please fill out either the individual or corporate Contributor License +Agreement. + +* If you are an individual writing original source code and you're sure you + own the intellectual property, then sign an [individual CLA](https://developers.google.com/open-source/cla/individual) + . +* If you work for a company that wants to allow you to contribute your work, + then sign a [corporate CLA](https://developers.google.com/open-source/cla/corporate). + +Follow either of the two links above to access the appropriate CLA and +instructions for how to sign and return it. + +1. Sign the contributors license agreement above. +1. Decide which code you want to submit. A submission should be a set of changes + that addresses one issue in the [issue tracker](https://github.com/Google/WebFundamentals/issues). + Please don't mix more than one logical change per submission, because it makes + the history hard to follow. If you want to make a change + (e.g. add a sample or feature) that doesn't have a corresponding issue in the + issue tracker, please create one. +1. **Submitting**: When you are ready to submit, send us a Pull Request. Be + sure to include the issue number you've fixed and the name you used to sign + the CLA. From 8de42e4a208a1f35a20c3de618aae87fa60ca87c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 10 Apr 2026 16:20:14 +0000 Subject: [PATCH 101/103] chore(deps): bump gradle/gradle-build-action Bumps the github_actions group with 1 update in the /.github/workflows directory: [gradle/gradle-build-action](https://github.com/gradle/gradle-build-action). Updates `gradle/gradle-build-action` from 2.1.1 to 2.4.2 - [Release notes](https://github.com/gradle/gradle-build-action/releases) - [Commits](https://github.com/gradle/gradle-build-action/compare/v2.1.1...v2.4.2) --- updated-dependencies: - dependency-name: gradle/gradle-build-action dependency-version: 2.4.2 dependency-type: direct:production dependency-group: github_actions ... Signed-off-by: dependabot[bot] --- .github/workflows/test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7e906021..a6699c73 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -53,7 +53,7 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@v1 - name: Setup Gradle - uses: gradle/gradle-build-action@v2.1.1 + uses: gradle/gradle-build-action@v2.4.2 with: gradle-version: 7.4 - name: Run tests From 610d86b8afba5562536dac1c792621def057669a Mon Sep 17 00:00:00 2001 From: Gregg Juan Eduardo Palomo Herrera Date: Fri, 10 Apr 2026 10:24:23 -0600 Subject: [PATCH 102/103] Create Patch.yml @gniumg-source Signed-off-by: Gregg Juan Eduardo Palomo Herrera --- Patch.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 Patch.yml diff --git a/Patch.yml b/Patch.yml new file mode 100644 index 00000000..46edee45 --- /dev/null +++ b/Patch.yml @@ -0,0 +1,36 @@ +From e20a33812066554f33bc483230e69886c14af1ce Mon Sep 17 00:00:00 2001 +From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> +Date: Fri, 10 Apr 2026 16:12:00 +0000 +Subject: [PATCH] chore(deps): bump com.google.api-client:google-api-client + +Bumps [com.google.api-client:google-api-client](https://github.com/googleapis/google-api-java-client) from 2.0.0 to 2.9.0. +- [Release notes](https://github.com/googleapis/google-api-java-client/releases) +- [Changelog](https://github.com/googleapis/google-api-java-client/blob/main/CHANGELOG.md) +- [Commits](https://github.com/googleapis/google-api-java-client/compare/v2.0.0...v2.9.0) + +--- +updated-dependencies: +- dependency-name: com.google.api-client:google-api-client + dependency-version: 2.9.0 + dependency-type: direct:production + update-type: version-update:semver-minor +... + +Signed-off-by: dependabot[bot] +--- + gmail/quickstart/build.gradle | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gmail/quickstart/build.gradle b/gmail/quickstart/build.gradle +index ca113827..8f33c4e8 100644 +--- a/gmail/quickstart/build.gradle ++++ b/gmail/quickstart/build.gradle +@@ -11,7 +11,7 @@ repositories { + } + + dependencies { +- implementation 'com.google.api-client:google-api-client:2.0.0' ++ implementation 'com.google.api-client:google-api-client:2.9.0' + implementation 'com.google.oauth-client:google-oauth-client-jetty:1.34.1' + implementation 'com.google.apis:google-api-services-gmail:v1-rev20220404-2.0.0' + } From e4e7b70ffea31c0fb89d5146722e288912120b6b Mon Sep 17 00:00:00 2001 From: Rhe DC-HG Gnium Date: Mon, 13 Apr 2026 06:19:58 -0600 Subject: [PATCH 103/103] =?UTF-8?q?Create=20depuraci=C3=B3n,yml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @gniumg-source Signed-off-by: Rhe DC-HG Gnium --- "depuraci\303\263n,yml" | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 "depuraci\303\263n,yml" diff --git "a/depuraci\303\263n,yml" "b/depuraci\303\263n,yml" new file mode 100644 index 00000000..9f2cf347 --- /dev/null +++ "b/depuraci\303\263n,yml" @@ -0,0 +1,26 @@ +Habilitación del registro de depuración +Si los registros de flujo de trabajo no proporcionan suficiente detalle para diagnosticar por qué un flujo de trabajo o paso no funciona como se espera, puedes habilitar más registros de depuración. + +En este artículo +Estas bitácoras extra se habilitan estableciendo los secretos o las variables en el repositorio que contiene el flujo de trabajo, así que se aplicarán los mismos requisitos de los permisos: + +Para crear secretos o variables en GitHub para un repositorio de la organización, debe tener acceso write. Para un repositorio de cuenta personal, debe ser colaborador del repositorio. +Para crear secretos o variables para un entorno en el repositorio de una cuenta personal, debe ser el propietario del repositorio. A fin de crear secretos o variables para un entorno en el repositorio de una organización, debe tener acceso de admin. Para más información sobre los entornos, consulta Administrar entornos para la implementación. +Los propietarios de la organización pueden crear secretos o variables a nivel de organización. +Para más información sobre cómo configurar secretos o variables, consulte Uso de secretos en Acciones de GitHub y Almacenamiento de información en variables. + +Además, cualquier persona que tenga acceso para ejecutar un flujo de trabajo puede habilitar el registro de diagnóstico del ejecutor y el registro de depuración de pasos para volver a ejecutar un flujo de trabajo. Para más información, consulta Volver a ejecutar flujos de trabajo y tareas. + +Habilitar el registro de diagnóstico del ejecutor +Las bitácoras de diagnóstico del ejecutor proporcionan archivos de bitácora adicionales que contienen información acerca de cómo éstos ejecutan un job. Dos archivos de registro adicionales se agregan al archivo de registro: + +El registro del proceso del ejecutor, que incluye información acerca de la coordinación y la configuración de los ejecutores para ejecutar tareas. +El registro del proceso del trabajador, que registra la ejecución de una tarea. +Para habilitar el registro de diagnóstico del ejecutor, establezca el siguiente secreto o variable en el repositorio que contiene el flujo de trabajo: ACTIONS_RUNNER_DEBUG o true. Si se establecen tanto el secreto como la variable, el valor del secreto tiene prioridad sobre la variable. +Para descargar los registros de diagnóstico del ejecutor, descarga el archivo de registro del flujo de trabajo. Los registros de diagnóstico del ejecutor se encuentran en la carpeta runner-diagnostic-logs. Para obtener más información sobre cómo descargar registros, consulte: Uso de registros de flujo de trabajo. +Habilitar el registro de depuración del paso +El registro de depuración del paso aumenta el nivel de detalle de los registros de un trabajo durante y después de la ejecución de una tarea. + +Para activar el registro de depuración de pasos, establezca el siguiente secreto o variable en el repositorio que contiene el flujo de trabajo:ACTIONS_STEP_DEBUG a true. Si se establecen tanto el secreto como la variable, el valor del secreto tiene prioridad sobre la variable. +Después de establecer el secreto o la variable, se muestran más eventos de depuración en los registros de pasos. Para más información, consulta Uso de registros de flujo de trabajo. +También puede usar el contexto runner.debug para ejecutar los pasos de manera condicional solo cuando el registro de depuración está habilitado. Para más información, consulta Contextos de referencia.