From 41447356bfedd2cc387bd2bd79ab38a7dda1958c Mon Sep 17 00:00:00 2001 From: "mend-for-github-com[bot]" <50673670+mend-for-github-com[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 05:23:57 +0000 Subject: [PATCH 01/10] Add .whitesource configuration file --- .whitesource | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 .whitesource diff --git a/.whitesource b/.whitesource new file mode 100644 index 000000000..bb071b4a2 --- /dev/null +++ b/.whitesource @@ -0,0 +1,45 @@ +{ + "scanSettings": { + "configMode": "AUTO", + "configExternalURL": "", + "projectToken": "", + "baseBranches": [] + }, + "scanSettingsSAST": { + "enableScan": false, + "scanPullRequests": false, + "incrementalScan": true, + "baseBranches": [], + "snippetSize": 10 + }, + "checkRunSettings": { + "vulnerableCheckRunConclusionLevel": "failure", + "displayMode": "diff", + "useMendCheckNames": true + }, + "checkRunSettingsSAST": { + "checkRunConclusionLevel": "failure", + "severityThreshold": "high" + }, + "issueSettings": { + "minSeverityLevel": "LOW", + "issueType": "DEPENDENCY" + }, + "issueSettingsSAST": { + "minSeverityLevel": "high", + "issueType": "repo" + }, + "remediateSettings": { + "workflowRules": { + "enabled": true + } + }, + "imageSettings":{ + "imageTracing":{ + "enableImageTracingPR": false, + "addRepositoryCoordinate": false, + "addDockerfilePath": false, + "addMendIdentifier": false + } + } +} \ No newline at end of file From 20791e2d0059d19bd606fe7867019dec2e31c712 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Tue, 19 Mar 2024 11:58:35 +0530 Subject: [PATCH 02/10] Update requirements.txt --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2037686d6..cba8513f0 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,8 +1,9 @@ antsibull +aiohttp==3.9.0 ansible-pygments sphinx-notfound-page sphinx_rtd_theme antsibull-docs sphinx sphinx-ansible-theme -galaxy-importer \ No newline at end of file +galaxy-importer From 23fefa2c4bfc9f0815f7a3ada3d02b16ead1e317 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Tue, 19 Mar 2024 13:02:41 +0530 Subject: [PATCH 03/10] bumped versions of dependencies --- requirements.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index cba8513f0..fae8ff1b9 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,4 +6,5 @@ sphinx_rtd_theme antsibull-docs sphinx sphinx-ansible-theme -galaxy-importer +galaxy-importer==0.5.0 +ansible-core==2.14.12 From 6eb1dd2f1a2ba3e8b55d19f78ec96d5ccfe61461 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Tue, 19 Mar 2024 14:26:19 +0530 Subject: [PATCH 04/10] Update requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index fae8ff1b9..1aad6bcbc 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ antsibull -aiohttp==3.9.0 +aiohttp==3.9.3 ansible-pygments sphinx-notfound-page sphinx_rtd_theme From 6c5fdd0e5200c35d91f3a104c448b1ec3d4de100 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 19 Mar 2024 08:57:17 +0000 Subject: [PATCH 05/10] Bump the pip group across 1 directory with 1 update Bumps the pip group with 1 update in the / directory: [ansible-core](https://github.com/ansible/ansible). Updates `ansible-core` from 2.14.12 to 2.15.9 - [Release notes](https://github.com/ansible/ansible/releases) - [Commits](https://github.com/ansible/ansible/compare/v2.14.12...v2.15.9) --- updated-dependencies: - dependency-name: ansible-core dependency-type: direct:production dependency-group: pip-security-group ... Signed-off-by: dependabot[bot] --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 1aad6bcbc..adc050298 100644 --- a/requirements.txt +++ b/requirements.txt @@ -7,4 +7,4 @@ antsibull-docs sphinx sphinx-ansible-theme galaxy-importer==0.5.0 -ansible-core==2.14.12 +ansible-core==2.15.9 From c520d91464933843fe6d06e6d7bae1bab2336074 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa Date: Wed, 20 Mar 2024 15:58:06 +0530 Subject: [PATCH 06/10] added trivy workflow Signed-off-by: Sumanth Lingappa --- .github/workflows/trivy.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 000000000..a8c92100d --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,28 @@ +--- +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Trivy vulnerability scan + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: "fs" + ignore-unfixed: true + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" From 319a65b405a496ac25eefaa5229f18bdc8c176f1 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Thu, 21 Mar 2024 09:14:27 +0530 Subject: [PATCH 07/10] Update requirements.txt --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index adc050298..1cc7dbaa3 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ antsibull -aiohttp==3.9.3 +aiohttp==3.9.2 ansible-pygments sphinx-notfound-page sphinx_rtd_theme From 3e733800eff8f15e4feda844300250804cea7388 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Thu, 21 Mar 2024 09:37:24 +0530 Subject: [PATCH 08/10] fixed a typo --- .github/ISSUE_TEMPLATE/bug_report.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml index 1fa00b6de..fd01365c4 100644 --- a/.github/ISSUE_TEMPLATE/bug_report.yml +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -153,7 +153,7 @@ body: ``` - type: textarea attributes: - label: Additioinal Notes + label: Additional Notes description: | Add any other context about the problem From 5e28598ce76d3495b763dc0d74a1d64465ef0696 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:17:14 +0530 Subject: [PATCH 09/10] experimenting with severity option --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index a8c92100d..a1b321f1c 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -14,13 +14,13 @@ jobs: uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.18.0 with: scan-type: "fs" ignore-unfixed: true format: "sarif" output: "trivy-results.sarif" - severity: "CRITICAL" + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 From cfbdf071ce520acd72bb89e1bdb6e2411ec081f0 Mon Sep 17 00:00:00 2001 From: Sumanth Lingappa <42572246+sumanth-lingappa@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:22:14 +0530 Subject: [PATCH 10/10] Update lint.yml --- .github/workflows/lint.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index f52d910af..87bf7d957 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -3,7 +3,21 @@ name: ansible-lint on: workflow_dispatch: pull_request: + paths-ignore: + - .github/** + - assets/** + - docs/** + - .whitesource + - .yamlfmt + - .yamllint push: + paths-ignore: + - .github/** + - assets/** + - docs/** + - .whitesource + - .yamlfmt + - .yamllint jobs: ansible-lint: name: ansible-lint