ZupIT · iancardosozup · Oct 6, 2021 · Oct 4, 2021
diff --git a/.github/workflows/alpha.yml b/.github/workflows/alpha.yml
@@ -18,9 +18,12 @@ on:
   push:
     branches:
       - main
-
+permissions: read-all
 jobs:
   Alpha:
+    permissions:
+      contents: write
+      packages: write
     runs-on: ubuntu-latest
     env:
       COSIGN_KEY_LOCATION: /tmp/cosign.key

diff --git a/.github/workflows/analytic-pipeline.yml b/.github/workflows/analytic-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Analytic
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Analytic" -G true
+          horusec start -p . -e  -n="Horusec/Platform-Analytic" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/api-pipeline.yml b/.github/workflows/api-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Api
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Api" -G true
+          horusec start -p . -e  -n="Horusec/Platform-Api" -G  --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/auth-pipeline.yml b/.github/workflows/auth-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Auth
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Auth" -G true
+          horusec start -p . -e -n="Horusec/Platform-Auth" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/core-pipeline.yml b/.github/workflows/core-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Core
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Core" -G true
+          horusec start -p . -e -n="Horusec/Platform-Core" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml
@@ -14,6 +14,7 @@
 
 name: License
 on: [ "push" ]
+permissions: read-all
 jobs:
   license:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/manager-pipeline.yml b/.github/workflows/manager-pipeline.yml
@@ -14,7 +14,6 @@
 
 name: Manager
 on: ["push"]
-
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -52,4 +51,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -n="Horusec/Platform-Manager" -G true
+          horusec start -p . -n="Horusec/Platform-Manager" -G -e --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/messages-pipeline.yml b/.github/workflows/messages-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Messages
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Messages" -G true
+          horusec start -p . -e -n="Horusec/Platform-Messages" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/migrations-pipeline.yml b/.github/workflows/migrations-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Migrations
 on: ["push"]
-
+permissions: read-all
 jobs:
   build-and-security:
     runs-on: ubuntu-latest
@@ -31,4 +31,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Migrations" -G true
+          horusec start -p . -e -n="Horusec/Platform-Migrations" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml
@@ -21,11 +21,12 @@ on:
         description: 'Release type: M (Major); m (Minor); p (Path)'
         required: true
 
-permissions:
-  contents: write
-
+permissions: read-all
 jobs:
   release:
+    permissions:
+      contents: write
+      packages: write
     env:
       COSIGN_KEY_LOCATION: "/tmp/cosign.key"
     runs-on: ubuntu-latest

diff --git a/.github/workflows/vulnerability-pipeline.yml b/.github/workflows/vulnerability-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Vulnerability
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Vulnerability" -G true
+          horusec start -p . -e -n="Horusec/Platform-Vulnerability" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"
diff --git a/.github/workflows/webhook-pipeline.yml b/.github/workflows/webhook-pipeline.yml
@@ -14,7 +14,7 @@
 
 name: Webhook
 on: ["push"]
-
+permissions: read-all
 jobs:
   lint-coverage-build-security:
     runs-on: ubuntu-latest
@@ -40,4 +40,4 @@ jobs:
           HORUSEC_CLI_HORUSEC_API_URI: ${{ secrets.HORUSEC_CLI_HORUSEC_API_URI }}
         run: |
           curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
-          horusec start -p . -e true -n="Horusec/Platform-Webhook" -G true
+          horusec start -p . -e -n="Horusec/Platform-Webhook" -G --show-vulnerabilities-types="Vulnerability, Risk Accepted"