From 8701b228ae6ec7f96af1315790a9d2c692669c77 Mon Sep 17 00:00:00 2001 From: Rory Carson Date: Thu, 21 Sep 2023 11:47:25 +0200 Subject: [PATCH 1/3] add codeowners and sast --- .../dependabot-approve-and-request-merge.yml | 15 +++++++++ .github/workflows/sast.yaml | 31 +++++++++++++++++++ 2 files changed, 46 insertions(+) create mode 100644 .github/workflows/dependabot-approve-and-request-merge.yml create mode 100644 .github/workflows/sast.yaml diff --git a/.github/workflows/dependabot-approve-and-request-merge.yml b/.github/workflows/dependabot-approve-and-request-merge.yml new file mode 100644 index 00000000..a2c9b5de --- /dev/null +++ b/.github/workflows/dependabot-approve-and-request-merge.yml @@ -0,0 +1,15 @@ +name: "dependabot approve-and-request-merge" + +on: pull_request_target + +jobs: + worker: + permissions: + contents: write + id-token: write + runs-on: ubuntu-latest + if: github.actor == 'dependabot[bot]' + steps: + - uses: contentful/github-auto-merge@v1 + with: + VAULT_URL: ${{ secrets.VAULT_URL }} diff --git a/.github/workflows/sast.yaml b/.github/workflows/sast.yaml new file mode 100644 index 00000000..cbb7083f --- /dev/null +++ b/.github/workflows/sast.yaml @@ -0,0 +1,31 @@ +name: SAST (Static Application Security Testing) + +on: + push: + branches: [master, main] + pull_request: + branches: [master, main] + +jobs: + polaris: + name: polaris / code-scan + continue-on-error: true + runs-on: ubuntu-latest + if: (github.repository_owner == 'contentful') && (endsWith(github.actor, '[bot]') == false) + steps: + - name: Clone repo + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4 + with: + fetch-depth: 0 + + - name: Synopsys Polaris + uses: contentful/polaris-action@master + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + polaris_url: ${{ secrets.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + debug: true + polaris_command: analyze -w --coverity-ignore-capture-failure + security_gate_filters: '{ "severity": ["High", "Medium"] }' + fail_on_error: false + report_url: "https://github.com/contentful/security-tools-config/issues/new?title=False%20positive%20in%20Polaris" From 11607e8dd80eb9a2b4d02bf4f420069f1412edc7 Mon Sep 17 00:00:00 2001 From: Rory Carson Date: Thu, 21 Sep 2023 11:58:33 +0200 Subject: [PATCH 2/3] add codeowners --- .github/CODEOWNERS | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 00000000..5d87a95e --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @contentful/team-security From e10700d4409fdcbf354f34bd4b18799892c920f4 Mon Sep 17 00:00:00 2001 From: Rory Carson Date: Thu, 21 Sep 2023 12:05:39 +0200 Subject: [PATCH 3/3] add vault-secrets --- .contentful/vault-secrets.yaml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .contentful/vault-secrets.yaml diff --git a/.contentful/vault-secrets.yaml b/.contentful/vault-secrets.yaml new file mode 100644 index 00000000..7beafba2 --- /dev/null +++ b/.contentful/vault-secrets.yaml @@ -0,0 +1,5 @@ +version: 1 +services: + github-action: + policies: + - dependabot