From 7e8b2121e1bdd04a954861ed2e226585d0553dbf Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Sun, 28 Jan 2024 06:55:57 +0100 Subject: [PATCH] feat(gha): make checkov config part of megalinter --- .checkov.yml | 4 ---- .dockerignore | 1 + .github/workflows/renovate.yml | 2 +- .mega-linter.yml | 10 ++++++++++ entrypoint.sh | 4 ++-- lychee.toml | 3 --- 6 files changed, 14 insertions(+), 10 deletions(-) delete mode 100644 .checkov.yml diff --git a/.checkov.yml b/.checkov.yml deleted file mode 100644 index bac3446..0000000 --- a/.checkov.yml +++ /dev/null @@ -1,4 +0,0 @@ -skip-check: - # Issue: https://github.com/bridgecrewio/checkov/issues/3839 - # The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty - - CKV_GHA_7 diff --git a/.dockerignore b/.dockerignore index 01d71ff..2908cf4 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,5 +1,6 @@ .git .github +demo images tests .*.yaml diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 915f979..0ded281 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -53,6 +53,6 @@ jobs: private-key: "${{ secrets.MY_RENOVATE_GITHUB_PRIVATE_KEY }}" - name: 💡 Self-hosted Renovate - uses: renovatebot/github-action@bf21d623a81a349d57109049960248ab12c62431 # v40.0.0 + uses: renovatebot/github-action@42c1d3cb1d1ca891765626ba71cdff5e757258de # v40.0.2 with: token: "${{ steps.app-token.outputs.token }}" diff --git a/.mega-linter.yml b/.mega-linter.yml index 48baab4..6c3d806 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -25,6 +25,16 @@ PRINT_ALPACA: false # Disable creating report directory REPORT_OUTPUT_FOLDER: none +# Issue: https://github.com/bridgecrewio/checkov/issues/3839 +# The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty +REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7 + +# Do not leave debug code in production, Insecure URL +REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 + +# Communication Over HTTP +REPOSITORY_KICS_ARGUMENTS: --exclude-queries 2e8d4922-8362-4606-8c14-aa10466a1ce3 + TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: - GITHUB_TOKEN diff --git a/entrypoint.sh b/entrypoint.sh index fb9b622..3d2f502 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -44,7 +44,7 @@ print_info() { cleanup() { if [ -n "${PAGES_PATH}" ]; then # Ignore DevSkim - Accessing localhost could indicate debug code, or could hinder scaling. - $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN} # Created by my-broken-link-checker/d\" /etc/hosts || true" # DevSkim: ignore DS162092 + $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN} # Created by my-broken-link-checker/d\" /etc/hosts || true" $sudo_cmd caddy stop &> /dev/null [ -f "${CADDYFILE}" ] && rm "${CADDYFILE}" [ -f "${CADDY_LOG}" ] && rm "${CADDY_LOG}" @@ -115,7 +115,7 @@ else # Add domain into /etc/hosts if ! grep -q "${PAGES_DOMAIN}" /etc/hosts; then - $sudo_cmd bash -c "echo \"127.0.0.1 ${PAGES_DOMAIN} # Created by my-broken-link-checker\" >> /etc/hosts" # DevSkim: ignore DS162092 + $sudo_cmd bash -c "echo \"127.0.0.1 ${PAGES_DOMAIN} # Created by my-broken-link-checker\" >> /etc/hosts" fi { diff --git a/lychee.toml b/lychee.toml index 86d353b..a367ec2 100644 --- a/lychee.toml +++ b/lychee.toml @@ -37,6 +37,3 @@ exclude_path = [ # Equivalent to setting `exclude_private`, `exclude_link_local`, and # `exclude_loopback` to true exclude_all_private = true - -# Exclude all mail addresses from checking -exclude_mail = true