Merge branch 'sast-comparisons' into trunk

johnbillion · Dec 10, 2024 · 45e3051 · 45e3051
2 parents dd4ea9a + 1948efb
commit 45e3051
Show file tree

Hide file tree

Showing 2 changed files with 82 additions and 9 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,12 +2,19 @@
 
 name: Lint
 on:
-  pull_request: null
+  pull_request:
+    paths:
+      # Only run when changes are made to workflow files.
+      - '.github/workflows/**'
   push:
     branches:
-    - trunk
-permissions:
-  contents: read
+      - trunk
+    paths:
+      # Only run when changes are made to workflow files.
+      - '.github/workflows/**'
+
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -16,6 +23,8 @@ jobs:
   actionlint:
     name: Actionlint
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     timeout-minutes: 1
     steps:
       - name: Checkout repository
@@ -26,8 +35,72 @@ jobs:
         with:
           args: "-color -verbose -shellcheck="
 
-      - name: Generate workflow timeline
-        if: always()
-        uses: Kesin11/actions-timeline@v2.2.1
+  octoscan:
+    name: Octoscan
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run octoscan
+        id: octoscan
+        uses: synacktiv/action-octoscan@v1
         with:
-          show-waiting-runner: false
+          filter_triggers: ''
+
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{steps.octoscan.outputs.sarif_output}}"
+          category: octoscan
+
+  zizmor:
+    name: Zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
+
+  poutine:
+    name: Poutine
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Run Poutine
+      uses: boostsecurityio/poutine-action@v0.15.2
+
+    - name: Upload poutine SARIF file
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: results.sarif
+        category: poutine
diff --git a/.github/workflows/test-plugins.yml b/.github/workflows/test-plugins.yml
@@ -2,7 +2,7 @@
 
 name: Test Plugins
 on:
-  pull_request:
+  # pull_request:
   workflow_dispatch:
     inputs:
       PR_NUMBER: