From d10385b785cc435bb1025c48b77768cdfe9efa16 Mon Sep 17 00:00:00 2001 From: Petr Ruzicka Date: Sun, 4 Feb 2024 09:36:17 +0100 Subject: [PATCH] refactor(trivy): rename .trivyignore.yml -> .trivyignore.yaml --- .github/ISSUE_TEMPLATE/config.yml | 4 ++-- .github/renovate.json5 | 13 +++++++++++-- .github/workflows/markdown-check.yml | 8 +------- .github/workflows/mega-linter.yml | 3 --- .gitignore | 3 +++ .mega-linter.yml | 6 +++--- .trivyignore.yml => .trivyignore.yaml | 0 Dockerfile | 2 +- entrypoint.sh | 1 - 9 files changed, 21 insertions(+), 19 deletions(-) rename .trivyignore.yml => .trivyignore.yaml (100%) diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index 44d6533..ed5ca68 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,8 +1,8 @@ blank_issues_enabled: false contact_links: - name: GitHub Actions Community Forum - url: https://github.community/t5/GitHub-Actions/bd-p/actions + url: https://github.com/orgs/community/discussions/ about: Please ask questions about GitHub Actions here. - name: GitHub Pages help url: https://help.github.com/en/github/working-with-github-pages - about: GitHub Pages documentaion here. + about: GitHub Pages documentation here. diff --git a/.github/renovate.json5 b/.github/renovate.json5 index 4df6f74..1117e58 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -2,17 +2,26 @@ $schema: "https://docs.renovatebot.com/renovate-schema.json", extends: [ "config:recommended", + "docker:pinDigests", + "helpers:pinGitHubActionDigestsToSemver", + "security:openssf-scorecard", ":disableDependencyDashboard", + ":docker", ":disableRateLimiting", ":enableVulnerabilityAlertsWithLabel(security)", - "helpers:pinGitHubActionDigestsToSemver", - "security:openssf-scorecard", ], + "git-submodules": { + enabled: true, + }, labels: [ "renovate", "renovate/{{replace '.*/' '' depName}}", "renovate/{{updateType}}", ], + lockFileMaintenance: { + enabled: true, + schedule: ["before 6am on Sunday"], + }, packageRules: [ { matchUpdateTypes: ["major"], diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml index 4448bf8..4282211 100644 --- a/.github/workflows/markdown-check.yml +++ b/.github/workflows/markdown-check.yml @@ -1,14 +1,8 @@ name: markdown-check on: - pull_request: - types: [opened, synchronize] - paths: - - "**.md" - - .github/workflows/markdown-check.yml - - .markdownlint.yml push: - branches: + branches-ignore: - main paths: - "**.md" diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 6de2a76..da4e06b 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -13,9 +13,6 @@ jobs: build: name: MegaLinter runs-on: ubuntu-latest - permissions: - contents: write - statuses: write steps: - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.gitignore b/.gitignore index b11b919..645c6dd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,5 @@ # pre-commit configuration file .pre-commit-config.yaml + +# Lychee cache +.lycheecache diff --git a/.mega-linter.yml b/.mega-linter.yml index d128acd..a768b6b 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -6,6 +6,7 @@ BASH_SHFMT_ARGUMENTS: --indent 2 --space-redirects DISABLE_LINTERS: - MARKDOWN_MARKDOWN_LINK_CHECK # Using lychee instead - SPELL_CSPELL + - TERRAFORM_TERRASCAN # Hard to configure - no documentation of the config file # Remove: To receive reports as email, please set variable EMAIL_REPORTER_EMAIL EMAIL_REPORTER: false @@ -32,10 +33,9 @@ REPOSITORY_CHECKOV_ARGUMENTS: --skip-check CKV_GHA_7 # Do not leave debug code in production, Insecure URL REPOSITORY_DEVSKIM_ARGUMENTS: --ignore-globs CHANGELOG.md --ignore-rule-ids DS162092,DS137138 -# Communication Over HTTP -REPOSITORY_KICS_ARGUMENTS: --exclude-queries 2e8d4922-8362-4606-8c14-aa10466a1ce3 +REPOSITORY_KICS_ARGUMENTS: --fail-on high -REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yml --severity HIGH,CRITICAL +REPOSITORY_TRIVY_ARGUMENTS: --ignorefile .trivyignore.yaml --severity HIGH,CRITICAL TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: - GITHUB_TOKEN diff --git a/.trivyignore.yml b/.trivyignore.yaml similarity index 100% rename from .trivyignore.yml rename to .trivyignore.yaml diff --git a/Dockerfile b/Dockerfile index a56e46b..26174fc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# kics-scan disable=fd54f200-402c-4333-a5a4-36ef6709af2f,d3499f6d-1651-41bb-a9a7-de925fea487b +# kics-scan disable=fd54f200-402c-4333-a5a4-36ef6709af2f # checkov:skip=CKV_DOCKER_3: Ensure that a user for the container has been created # checkov:skip=CKV2_DOCKER_1: Ensure that sudo isn't used diff --git a/entrypoint.sh b/entrypoint.sh index 3d2f502..ac844bf 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -43,7 +43,6 @@ print_info() { # Remove all added files or changed /etc/hosts entry cleanup() { if [ -n "${PAGES_PATH}" ]; then - # Ignore DevSkim - Accessing localhost could indicate debug code, or could hinder scaling. $sudo_cmd bash -c "sed -i \"/127.0.0.1 ${PAGES_DOMAIN} # Created by my-broken-link-checker/d\" /etc/hosts || true" $sudo_cmd caddy stop &> /dev/null [ -f "${CADDYFILE}" ] && rm "${CADDYFILE}"