Merge pull request #1 from eu-digital-identity-wallet/feature/secinte…

…grations added codeowners functionality + security integrations
eu-digital-identity-wallet · Feb 7, 2024 · 99779f1 · 99779f1
2 parents ed0d811 + a7805a0
commit 99779f1
Show file tree

Hide file tree

Showing 5 changed files with 2,353 additions and 0 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @eu-digital-identity-wallet/niscy-admins
diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml
@@ -0,0 +1,29 @@
+name: SCA - Dependency-Check
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Dependency_check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Depcheck Action - SCA
+        uses: dependency-check/Dependency-Check_Action@main
+        id: Depcheck
+        with:
+          project: '${{ github.repository }}'
+          path: '.'
+          format: 'HTML'
+          out: 'reports' # this is the default, no need to specify unless you wish to override it
+          args: >
+            --enableRetired
+            --enableExperimental
+      - name: Upload results - SCA
+        uses: actions/upload-artifact@master
+        with:
+           name: Depcheck report
+           path: ${{github.workspace}}/reports
diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
@@ -0,0 +1,27 @@
+name: Secret Scanning - Gitleaks
+on:
+  push:
+  workflow_dispatch:
+
+jobs:
+  Secret-Scanning:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Gitleaks from container
+        run: |
+            docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks 
+            docker start GL
+            docker exec GL git config --global --add safe.directory '/src'
+            docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json
+        continue-on-error: true
+
+      - name: upload_artifacts   
+        uses: actions/upload-artifact@v3
+        with:
+          name: Gitleaks Artifact Upload
+          path:  ${{ github.workspace }}/gitleaks-report.json
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -0,0 +1,62 @@
+name: SAST - SonarCloud
+on:
+  push:
+  pull_request_target:
+  workflow_dispatch:
+
+jobs:
+  check_secret:
+    name: Check secret presence
+    runs-on: ubuntu-latest
+    steps:
+    - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi
+    env:
+       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  P_WD_analysis:
+    name: SAST - SonarCloud - Push/WD analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  PR_analysis:
+    name: SAST- SonarCloud - PR analysis
+    needs: check_secret
+    runs-on: ubuntu-latest
+    if: (github.event_name == 'pull_request_target')
+    steps:
+      - name: Checkout action
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+          ref: ${{ github.event.pull_request.head.sha }}
+      - name: setup projectkey
+        run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV
+      - name: SonarCloud Scan - Action
+        uses: SonarSource/sonarcloud-github-action@master
+        with:
+            args: >
+                -Dsonar.organization=${{ github.repository_owner }}
+                -Dsonar.projectKey=${{ env.PROJECTKEY }}
+                -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
+                -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }}
+                -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}  # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}