Skip to content

[BE][FE][SECURITY] Kics #607

[BE][FE][SECURITY] Kics

[BE][FE][SECURITY] Kics #607

Workflow file for this run

# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Apache License, Version 2.0 which is available at
# https://www.apache.org/licenses/LICENSE-2.0.
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# SPDX-License-Identifier: Apache-2.0
name: "[BE][FE][SECURITY] Kics"
on:
push:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: "0 0 * * *"
jobs:
analyze-frontend:
name: Analyze frontend
runs-on: ubuntu-latest
defaults:
run:
working-directory: frontend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v3
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./frontend"
# Excluded paths:
# - docker-compose.yml - used only on local env
# - in cypress dir docker related files used only on local env
exclude_paths: "docker-compose.yml,cypress/docker-compose.yml,cypress/Dockerfile"
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
enable_comments: true
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kicsResults/results.sarif
analyze-backend:
name: Analyze backend
runs-on: ubuntu-latest
defaults:
run:
working-directory: tx-backend
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v3
- name: KICS scan
uses: checkmarx/kics-github-action@master
with:
# Scanning directory .
path: "./tx-backend"
exclude_queries: 9f88c88d-824d-4d9a-b985-e22977046042,8c8261c2-19a9-4ef7-ad37-b8bc7bdd4d85,181bd815-767e-4e95-a24d-bb3c87328e19,00b78adf-b83f-419c-8ed8-c6018441dd3a
enable_comments: true
# Fail on HIGH severity results
fail_on: high
# Disable secrets detection - we use GitGuardian
disable_secrets: true
# when provided with a directory on output_path
# it will generate the specified reports file named 'results.{extension}'
# in this example it will generate:
# - results-dir/results.json
# - results-dir/results.sarif
output_path: kicsResults/
output_formats: "json,sarif"
# If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
# ignore_on_exit: results
# GITHUB_TOKEN enables this github action to access github API and post comments in a pull request
# token: ${{ secrets.GITHUB_TOKEN }}
# enable_comments: true
# Upload findings to GitHub Advanced Security Dashboard
- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: kicsResults/results.sarif