This repository has been archived by the owner on Jan 13, 2025. It is now read-only.
forked from eclipse-tractusx/traceability-foss
-
Notifications
You must be signed in to change notification settings - Fork 0
132 lines (121 loc) · 4.75 KB
/
kics.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
name: "[BE][FE][SECURITY] Kics"
on:
push:
branches:
- main
- dev
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request:
branches:
- main
- dev
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: "0 0 * * *"
jobs:
analyze-frontend:
name: Analyze frontend
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./frontend"
# Excluded paths:
# - docker-compose.yml - used only on local env
# - in cypress dir docker related files used only on local env
exclude_paths: "docker-compose.yml,cypress/docker-compose.yml,cypress/Dockerfile"
exclude_severities: "info,low"
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
enable_comments: true
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kicsResults/results.sarif
analyze-backend:
name: Analyze backend
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./tx-backend"
exclude_queries: 2ea04bef-c769-409e-9179-ee3a50b5c0ac,6998389e-66b2-473d-8d05-c8d71ac4d04d,a8e859da-4a43-4e7f-94b8-25d6e3bf8e90,d172a060-8569-4412-8045-3560ebd477e8,2e9b6612-8f69-42e0-a5b8-ed17739c2f3a,d172a060-8569-4412-8045-3560ebd477e8,9f88c88d-824d-4d9a-b985-e22977046042,8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85,181bd815-767e-4e95-a24d-bb3c87328e19,00b78adf-b83f-419c-8ed8-c6018441dd3a
enable_comments: true
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kicsResults/results.sarif