Merge pull request #1312 from contentstack/development

Sprint 52 release

.github/workflows/jira.yml

@@ -3,11 +3,11 @@ on:
   pull_request:
     types: [opened]
 jobs:
-  security:
+  security-jira:
     if: ${{ github.actor == 'dependabot[bot]' || github.actor == 'snyk-bot' || contains(github.event.pull_request.head.ref, 'snyk-fix-')  || contains(github.event.pull_request.head.ref, 'snyk-upgrade-')}}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3.5.3
+      - uses: actions/checkout@v2
       - name: Login into JIRA
         uses: atlassian/gajira-login@master
         env:
@@ -26,3 +26,8 @@ jobs:
             PR: ${{ github.event.pull_request.html_url }}
 
           fields: "${{ secrets.JIRA_FIELDS }}"
+      - name: Transition issue
+        uses: atlassian/gajira-transition@v3
+        with:
+          issue: ${{ steps.create.outputs.issue }}
+          transition: ${{ secrets.JIRA_TRANSITION }}

.github/workflows/sast-scan.yml

@@ -0,0 +1,11 @@
+name: SAST Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-sast:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Semgrep Scan
+        run: docker run -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" returntocorp/semgrep semgrep scan --config auto

.github/workflows/sca-scan.yml

@@ -3,20 +3,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 jobs:
-  security:
+  security-sca:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@master
-      - uses: pnpm/action-setup@v2
-        with:
-          version: 7
-      - name: Use Node.js 18.x
-        uses: actions/[email protected]
-        with:
-          node-version: '18.x'
-          cache: 'pnpm'
-      - name: Install dependencies
-        run: pnpm install --no-frozen-lockfile
       - name: Run Snyk to check for vulnerabilities
         uses: snyk/actions/node@master
         env:

.github/workflows/secrets-scan.yml

@@ -0,0 +1,54 @@
+name: Secrets Scan
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  security-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Install Expect, jq and Python
+        run: sudo apt-get update --fix-missing && sudo apt-get install -y expect jq python3 python3-pip  wkhtmltopdf
+
+      - name: Install Python packages
+        run: pip install pandas json2html tabulate
+
+      - name: Install Talisman
+        run: |
+          curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/v1.32.0/install.sh > install.bash
+          chmod +x install.bash
+          ./install.bash
+
+      - name: Run Talisman
+        id: run_talisman
+        run: /usr/local/bin/talisman --scan
+        continue-on-error: true
+
+      - name: Convert JSON to HTML
+        run: |
+          python3 -c "
+          import json
+          import os
+          from json2html import *
+          with open('talisman_report/talisman_reports/data/report.json') as f:
+              data = json.load(f)
+          html = json2html.convert(json = data)
+          os.makedirs('talisman_html_report', exist_ok=True)
+          with open('talisman_html_report/report.html', 'w') as f:
+              f.write(html)
+          " && wkhtmltopdf talisman_html_report/report.html talisman_report.pdf
+
+      - name: Upload Report
+        id: upload_report
+        uses: actions/upload-artifact@v4
+        with:
+          name: talisman-report-pdf
+          path: talisman_report.pdf
+
+      - name: Check the status of talisman scan
+        run: |
+          # if [[ ${{ steps.run_talisman.outcome }} == "success" ]]; then exit 0; else echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}" && exit 1; fi
+          echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}";