From c0b72a64f35a5bcf5a497c69b5a5283c79928aef Mon Sep 17 00:00:00 2001 From: Ian Cardoso Date: Mon, 4 Oct 2021 15:11:09 -0300 Subject: [PATCH] actions: att security to show risk-accepted Signed-off-by: Ian Cardoso --- .github/workflows/alpha.yml | 5 ++++- .github/workflows/analytic-pipeline.yml | 4 ++-- .github/workflows/api-pipeline.yml | 4 ++-- .github/workflows/auth-pipeline.yml | 4 ++-- .github/workflows/core-pipeline.yml | 4 ++-- .github/workflows/license.yaml | 1 + .github/workflows/manager-pipeline.yml | 3 +-- .github/workflows/messages-pipeline.yml | 4 ++-- .github/workflows/migrations-pipeline.yml | 4 ++-- .github/workflows/new-release.yml | 7 ++++--- .github/workflows/vulnerability-pipeline.yml | 4 ++-- .github/workflows/webhook-pipeline.yml | 4 ++-- 12 files changed, 26 insertions(+), 22 deletions(-) diff --git a/.github/workflows/alpha.yml b/.github/workflows/alpha.yml index fefa903ff..0bef06933 100644 --- a/.github/workflows/alpha.yml +++ b/.github/workflows/alpha.yml @@ -18,9 +18,12 @@ on: push: branches: - main - +permissions: read-all jobs: Alpha: + permissions: + contents: write + packages: write runs-on: ubuntu-latest env: COSIGN_KEY_LOCATION: /tmp/cosign.key diff --git a/.github/workflows/analytic-pipeline.yml b/.github/workflows/analytic-pipeline.yml index abee088c0..09df12872 100644 --- a/.github/workflows/analytic-pipeline.yml +++ b/.github/workflows/analytic-pipeline.yml @@ -14,7 +14,7 @@ name: Analytic on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Analytic" -G true + horusec start -p . -e -n="Horusec/Platform-Analytic" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/api-pipeline.yml b/.github/workflows/api-pipeline.yml index 10e9bda92..c69ff7517 100644 --- a/.github/workflows/api-pipeline.yml +++ b/.github/workflows/api-pipeline.yml @@ -14,7 +14,7 @@ name: Api on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Api" -G true + horusec start -p . -e -n="Horusec/Platform-Api" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/auth-pipeline.yml b/.github/workflows/auth-pipeline.yml index 5d85eeed8..b7d489560 100644 --- a/.github/workflows/auth-pipeline.yml +++ b/.github/workflows/auth-pipeline.yml @@ -14,7 +14,7 @@ name: Auth on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Auth" -G true + horusec start -p . -e -n="Horusec/Platform-Auth" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/core-pipeline.yml b/.github/workflows/core-pipeline.yml index a48f17b8f..4ec73a633 100644 --- a/.github/workflows/core-pipeline.yml +++ b/.github/workflows/core-pipeline.yml @@ -14,7 +14,7 @@ name: Core on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Core" -G true + horusec start -p . -e -n="Horusec/Platform-Core" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml index 7d3d69a49..5e9012746 100644 --- a/.github/workflows/license.yaml +++ b/.github/workflows/license.yaml @@ -14,6 +14,7 @@ name: License on: [ "push" ] +permissions: read-all jobs: license: runs-on: ubuntu-latest diff --git a/.github/workflows/manager-pipeline.yml b/.github/workflows/manager-pipeline.yml index f5a129ca7..f68339a77 100644 --- a/.github/workflows/manager-pipeline.yml +++ b/.github/workflows/manager-pipeline.yml @@ -14,7 +14,6 @@ name: Manager on: ["push"] - jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -52,4 +51,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -n="Horusec/Platform-Manager" -G true + horusec start -p . -n="Horusec/Platform-Manager" -G -e --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/messages-pipeline.yml b/.github/workflows/messages-pipeline.yml index a8e743954..5718b3118 100644 --- a/.github/workflows/messages-pipeline.yml +++ b/.github/workflows/messages-pipeline.yml @@ -14,7 +14,7 @@ name: Messages on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Messages" -G true + horusec start -p . -e -n="Horusec/Platform-Messages" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/migrations-pipeline.yml b/.github/workflows/migrations-pipeline.yml index 4dc5ec54e..ebb394902 100644 --- a/.github/workflows/migrations-pipeline.yml +++ b/.github/workflows/migrations-pipeline.yml @@ -14,7 +14,7 @@ name: Migrations on: ["push"] - +permissions: read-all jobs: build-and-security: runs-on: ubuntu-latest @@ -31,4 +31,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Migrations" -G true + horusec start -p . -e -n="Horusec/Platform-Migrations" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml index 9f975c2c0..058b62334 100644 --- a/.github/workflows/new-release.yml +++ b/.github/workflows/new-release.yml @@ -21,11 +21,12 @@ on: description: 'Release type: M (Major); m (Minor); p (Path)' required: true -permissions: - contents: write - +permissions: read-all jobs: release: + permissions: + contents: write + packages: write env: COSIGN_KEY_LOCATION: "/tmp/cosign.key" runs-on: ubuntu-latest diff --git a/.github/workflows/vulnerability-pipeline.yml b/.github/workflows/vulnerability-pipeline.yml index a8be71c1f..f034146fd 100644 --- a/.github/workflows/vulnerability-pipeline.yml +++ b/.github/workflows/vulnerability-pipeline.yml @@ -14,7 +14,7 @@ name: Vulnerability on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Vulnerability" -G true + horusec start -p . -e -n="Horusec/Platform-Vulnerability" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted" diff --git a/.github/workflows/webhook-pipeline.yml b/.github/workflows/webhook-pipeline.yml index a7db2505c..a32a31d89 100644 --- a/.github/workflows/webhook-pipeline.yml +++ b/.github/workflows/webhook-pipeline.yml @@ -14,7 +14,7 @@ name: Webhook on: ["push"] - +permissions: read-all jobs: lint-coverage-build-security: runs-on: ubuntu-latest @@ -40,4 +40,4 @@ jobs: HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }} run: | curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest - horusec start -p . -e true -n="Horusec/Platform-Webhook" -G true + horusec start -p . -e -n="Horusec/Platform-Webhook" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"