contentstack · aman19K · Feb 23, 2024 · Feb 12, 2024 · Feb 12, 2024 · Feb 12, 2024
@@ -0,0 +1,33 @@
+name: Create JIRA ISSUE
+on:
+  pull_request:
+    types: [opened]
+jobs:
+  security-jira:
+    if: ${{ github.actor == 'dependabot[bot]' || github.actor == 'snyk-bot' || contains(github.event.pull_request.head.ref, 'snyk-fix-')  || contains(github.event.pull_request.head.ref, 'snyk-upgrade-')}}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Login into JIRA
+        uses: atlassian/gajira-login@master
+        env:
+          JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
+          JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
+          JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
+      - name: Create a JIRA Issue
+        id: create
+        uses: atlassian/gajira-create@master
+        with:
+          project: ${{ secrets.JIRA_PROJECT }}
+          issuetype: ${{ secrets.JIRA_ISSUE_TYPE }}
+          summary: |
+            ${{ github.event.pull_request.title }}
+          description: |
+            PR: ${{ github.event.pull_request.html_url }}
+
+          fields: "${{ secrets.JIRA_FIELDS }}"
+      - name: Transition issue
+        uses: atlassian/gajira-transition@v3
+        with:
+          issue: ${{ steps.create.outputs.issue }}
+          transition: ${{ secrets.JIRA_TRANSITION }}
@@ -0,0 +1,11 @@
+name: SAST Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-sast:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Semgrep Scan
+        run: docker run -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" returntocorp/semgrep semgrep scan --config auto
@@ -0,0 +1,15 @@
+name: Source Composition Analysis Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-sca:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --fail-on=all
@@ -0,0 +1,54 @@
+name: Secrets Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Expect, jq and Python
+        run: sudo apt-get install -y expect jq python3 python3-pip  wkhtmltopdf
+
+      - name: Install Python packages
+        run: pip install pandas json2html tabulate
+
+      - name: Install Talisman
+        run: |
+          curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/v1.32.0/install.sh > install.bash
+          chmod +x install.bash
+          ./install.bash
+
+      - name: Run Talisman
+        id: run_talisman
+        run: /usr/local/bin/talisman --scan
+        continue-on-error: true
+
+      - name: Convert JSON to HTML
+        run: |
+          python3 -c "
+          import json
+          import os
+          from json2html import *
+          with open('talisman_report/talisman_reports/data/report.json') as f:
+              data = json.load(f)
+          html = json2html.convert(json = data)
+          os.makedirs('talisman_html_report', exist_ok=True)
+          with open('talisman_html_report/report.html', 'w') as f:
+              f.write(html)
+          " && wkhtmltopdf talisman_html_report/report.html talisman_report.pdf
+
+      - name: Upload Report
+        id: upload_report
+        uses: actions/upload-artifact@v4
+        with:
+          name: talisman-report-pdf
+          path: talisman_report.pdf
+
+      - name: Check the status of talisman scan
+        run: |
+          # if [[ ${{ steps.run_talisman.outcome }} == "success" ]]; then exit 0; else echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}" && exit 1; fi
+          echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}";