Skip to content

Commit

Permalink
Merge pull request #809 from Checkmarx/miryamFoifer/IACFixes
Browse files Browse the repository at this point in the history 
Fix Iac Vulnerabilities (AST-47963)
  • Loading branch information
@miryamfoiferCX
miryamfoiferCX authored Aug 11, 2024
2 parents 9acfbd3 + ed2a0d2 commit d17d61d
Show file tree
Hide file tree
Showing 5 changed files with 19 additions and 18 deletions.
21 changes: 11 additions & 10 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v4
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
- name: Set up Go version
uses: actions/setup-go@v4
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
with:
go-version-file: go.mod
- run: go version
Expand All @@ -35,9 +35,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v4
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
- name: Set up Go version
uses: actions/setup-go@v4
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
with:
go-version-file: go.mod
- run: go version
Expand Down Expand Up @@ -106,9 +106,9 @@ jobs:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
- name: Set up Go version
uses: actions/setup-go@v4
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
with:
go-version-file: go.mod
- run: go version
Expand Down Expand Up @@ -136,13 +136,14 @@ jobs:
name: scan Docker Image with Trivy
steps:
- name: Checkout code
uses: actions/checkout@v2
uses: actions/checkout@722adc63f1aa60a57ec37892e133b1d319cae598 #2.0.0


- name: Set up Docker
uses: docker/setup-buildx-action@v1
uses: docker/setup-buildx-action@cf09c5c41b299b55c366aff30022701412eb6ab0 #v1.0.0

- name: Log in to Docker Hub
uses: docker/login-action@v2
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b #v2
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
Expand All @@ -152,7 +153,7 @@ jobs:
run: docker build -t ast-cli:${{ github.sha }} .

- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 #0.20.0
with:
image-ref: 'ast-cli:${{ github.sha }}'
format: 'table'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/manual-integration-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
echo ::add-mask::$INP_PROXY_PASSWORD
echo PROXY_PASSWORD="$INP_PROXY_PASSWORD" >> $GITHUB_ENV
- name: Checkout
uses: actions/checkout@v2.3.4
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
- name: Install Go
uses: actions/setup-go@v2
with:
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/one-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3.0.0
- name: Checkmarx One CLI Action
uses: checkmarx/ast-github-action@main
uses: checkmarx/ast-github-action@6c56658230f79c227a55120e9b24845d574d5225 # main
with:
base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=1;sca-low=1"
additional_params: --tags phoenix --threshold "sast-high=1;sast-medium=1;sast-low=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;sca-high=1;sca-medium=1;sca-low=1"
6 changes: 3 additions & 3 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,11 +37,11 @@ jobs:
APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
with:
fetch-depth: 0
- name: Install Go
uses: actions/setup-go@v4
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
with:
go-version-file: go.mod
- name: Import Code-Signing Certificates
Expand All @@ -64,7 +64,7 @@ jobs:
brew install Bearer/tap/gon
- name: Setup Docker on macOS
if: inputs.dev == false
uses: douglascamata/setup-docker-macos-action@v1-alpha
uses: douglascamata/setup-docker-macos-action@0f8f0e9f1033ccfb6676fe219e91781393f8ed4b #v1-alpha
- name: Test docker
if: inputs.dev == false
run: |
Expand Down
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM cgr.dev/chainguard/bash:latest
FROM cgr.dev/chainguard/bash@sha256:6f0c9e28cbbe206781cb6b0ace299d1d4edbb2450bfadffb8b2e125596d0f6b0

USER nonroot

Expand Down

0 comments on commit d17d61d

Please sign in to comment.