Skip to content

[BE][FE][SECURITY] Kics #961

[BE][FE][SECURITY] Kics

[BE][FE][SECURITY] Kics #961

Workflow file for this run

# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
name: "[BE][FE][SECURITY] Kics"
on:
push:
branches:
- main
- dev
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request:
branches:
- main
- dev
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: "0 0 * * *"
jobs:
analyze-frontend:
name: Analyze frontend
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./frontend"
# Excluded paths:
# - docker-compose.yml - used only on local env
# - in cypress dir docker related files used only on local env
exclude_paths: "docker-compose.yml,cypress/docker-compose.yml,cypress/Dockerfile"
exclude_severities: "info,low"
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
enable_comments: true
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kicsResults/results.sarif
analyze-backend:
name: Analyze backend
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./tx-backend"
exclude_queries: 2ea04bef-c769-409e-9179-ee3a50b5c0ac,6998389e-66b2-473d-8d05-c8d71ac4d04d,a8e859da-4a43-4e7f-94b8-25d6e3bf8e90,d172a060-8569-4412-8045-3560ebd477e8,2e9b6612-8f69-42e0-a5b8-ed17739c2f3a,d172a060-8569-4412-8045-3560ebd477e8,9f88c88d-824d-4d9a-b985-e22977046042,8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85,181bd815-767e-4e95-a24d-bb3c87328e19,00b78adf-b83f-419c-8ed8-c6018441dd3a,86e3702f-c868-44b2-b61d-ea5316c18110,a92be1d5-d762-484a-86d6-8cd0907ba100,4f31dd9f-2cc3-4751-9b53-67e4af83dac0,561710b1-b845-4562-95ce-2397a05ccef4,237402e2-c2f0-46c9-9cf5-286160cf7bfc,2bd608ae-8a1f-457f-b710-c237883cb313
enable_comments: true
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: kicsResults/results.sarif