From 97786f334ad3f1c21c35bb19d8bd7232820ed4bc Mon Sep 17 00:00:00 2001 From: Lessley Date: Tue, 12 Dec 2023 14:12:54 -0700 Subject: [PATCH 1/2] workflows: add dependency review --- .github/workflows/dependency-review.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..60b0cff --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,25 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: "Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: "Checkout Repository" + uses: actions/checkout@v3 + + - name: "Dependency Review" + uses: actions/dependency-review-action@v3 + with: + fail-on-severity: high + allow-dependencies-licenses: "pkg:github/python/typing_extensions" + deny-licenses: AAL, BSD-Protection, ADSL, Adobe-Glyph, AGPL-1.0, GPL-3.0 From a830cadb258bf2828e74ad800dcfeae9c8dbe0a9 Mon Sep 17 00:00:00 2001 From: Lessley Date: Tue, 6 Feb 2024 10:42:09 -0700 Subject: [PATCH 2/2] add example ZAP workflow --- .github/workflows/zap.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/workflows/zap.yml diff --git a/.github/workflows/zap.yml b/.github/workflows/zap.yml new file mode 100644 index 0000000..cc8e73c --- /dev/null +++ b/.github/workflows/zap.yml @@ -0,0 +1,13 @@ +name: ZAP Scan + +on: [push] + +jobs: + zap_scan: + runs-on: ubuntu-latest + + steps: + - name: ZAP Scan + uses: zaproxy/action-full-scan@v0.9.0 + with: + target: "https://www.zaproxy.org/"