From 76e373ec4f6fd7bc9ab72b944d6b6b7ee0992da5 Mon Sep 17 00:00:00 2001 From: "jit-ci[bot]" <91912817+jit-ci[bot]@users.noreply.github.com> Date: Thu, 2 Nov 2023 16:51:52 +0000 Subject: [PATCH] Sync with plan --- .github/workflows/jit-security.yml | 111 +++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/.github/workflows/jit-security.yml b/.github/workflows/jit-security.yml index 5792ed69..1d989a41 100644 --- a/.github/workflows/jit-security.yml +++ b/.github/workflows/jit-security.yml @@ -22,6 +22,17 @@ jobs: with: security_control: registry.jit.io/control-enrichment-slim:latest + remediation-pr: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'remediation-pr' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-remediation-pr' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: remediation-pr + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/open-remediation-pr-alpine:latest + security_control_output_file: /opt/code/jit-report/results.json + secret-detection: if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'secret-detection' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-secret-detection' runs-on: ubuntu-20.04 @@ -32,4 +43,104 @@ jobs: with: security_control: registry.jit.io/control-gitleaks-alpine:latest security_control_output_file: /tmp/report.json + + static-code-analysis-csharp: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-csharp' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-go: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-go' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: gosec + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-gosec-alpine:latest + + static-code-analysis-java: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-java' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-js: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-js' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-kotlin: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-kotlin' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-php: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-php' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-python-semgrep: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-python-semgrep' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-rust: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-rust' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-scala: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-scala' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest + + static-code-analysis-swift: + if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'static-code-analysis-swift' && fromJSON(github.event.inputs.client_payload).payload.workflow_slug == 'workflow-sast' + runs-on: ubuntu-20.04 + timeout-minutes: 20 + steps: + - name: semgrep + uses: jitsecurity-controls/jit-github-action@v4.0.4 + with: + security_control: registry.jit.io/control-semgrep-alpine:latest \ No newline at end of file