From 72a5b104be785711cddf4d9efec9ef2ba9cff755 Mon Sep 17 00:00:00 2001 From: Barabanov Date: Wed, 15 Jan 2025 17:47:43 +0000 Subject: [PATCH] fix format --- .github/workflows/code_scan.yaml | 94 ++++++++++++++++---------------- .github/workflows/codeql.yaml | 15 +++-- 2 files changed, 53 insertions(+), 56 deletions(-) diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml index cd58c70279..85d0d8abb1 100644 --- a/.github/workflows/code_scan.yaml +++ b/.github/workflows/code_scan.yaml @@ -26,7 +26,7 @@ jobs: run: python -m pip install --require-hashes --no-deps -r .ci/requirements.txt - name: Freeze dependencies run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml - + - name: Run Trivy Scan (vuln) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: @@ -34,7 +34,7 @@ jobs: scan-ref: requirements.txt scanners: vuln output: trivy-results-vuln.txt - + - name: Run Trivy Scan (dockerfile and secrets) uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: @@ -51,7 +51,7 @@ jobs: scan-ref: . format: spdx-json output: trivy-results-spdx.json - skip-setup-trivy: true + skip-setup-trivy: true - name: Upload Trivy results artifact uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 @@ -61,15 +61,15 @@ jobs: retention-days: 7 # Use always() to always run this step to publish scan results when there are test failures if: ${{ always() }} - + - name: Upload deps list uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 if: always() with: name: python-deps-list - path: '${{ github.workspace }}/requirements.txt' + path: "${{ github.workspace }}/requirements.txt" retention-days: 7 - + Bandit: runs-on: ubuntu-22.04 steps: @@ -107,54 +107,52 @@ jobs: fail-fast: false matrix: include: - - language: python - build-mode: none - - language: actions # to scan workflows - build-mode: none + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none steps: - - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 - with: - category: "/language:${{matrix.language}}" - - - name: Generate CodeQL Report - uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - template: report - outputDir: codeql-${{ matrix.language }} - - - name: Rename Report - shell: bash - continue-on-error: true - run: | - cd codeql-${{ matrix.language }} - mv "report.pdf" "codeql-${{ matrix.language }}.pdf" - - - name: Upload Report - uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 - with: - name: codeql-${{ matrix.language }}-results - path: codeql-${{ matrix.language }}/*.pdf - retention-days: 7 + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + category: "/language:${{matrix.language}}" + + - name: Generate CodeQL Report + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + template: report + outputDir: codeql-${{ matrix.language }} + + - name: Rename Report + shell: bash + continue-on-error: true + run: | + cd codeql-${{ matrix.language }} + mv "report.pdf" "codeql-${{ matrix.language }}.pdf" + + - name: Upload Report + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 + with: + name: codeql-${{ matrix.language }}-results + path: codeql-${{ matrix.language }}/*.pdf + retention-days: 7 Summarize: needs: [Trivy, Bandit, CodeQL] if: always() runs-on: ubuntu-22.04 steps: - # Create directory first - name: Create results directory run: mkdir -p all-results @@ -175,4 +173,4 @@ jobs: with: name: security-scan-results path: all-results - retention-days: 7 \ No newline at end of file + retention-days: 7 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index c6f613da6b..49e78c1ac6 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -18,7 +18,6 @@ on: - reopened - synchronize - jobs: analyze: name: Analyze @@ -37,10 +36,10 @@ jobs: fail-fast: false matrix: include: - - language: python - build-mode: none - - language: actions # to scan workflows - build-mode: none + - language: python + build-mode: none + - language: actions # to scan workflows + build-mode: none # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both @@ -67,21 +66,21 @@ jobs: uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: category: "/language:${{matrix.language}}" - + - name: Generate Security Report uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.GITHUB_TOKEN }} outputDir: codeql-${{ matrix.language }} - + - name: Rename Report shell: bash continue-on-error: true run: | cd codeql-${{ matrix.language }} mv "report.pdf" "codeql-${{ matrix.language }}.pdf" - + - name: GitHub Upload Release Artifacts uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0 with: