Skip to content

Commit afe0564

Browse files
authored
Merge branch 'main' into feat/dsql-system-diagnostics
Signed-off-by: James Morle <7480305+Morlej@users.noreply.github.com>
2 parents bd3733c + efe040a commit afe0564

26 files changed

Lines changed: 171993 additions & 126 deletions

.github/workflows/build.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
self_mutation_happened: ${{ steps.self_mutation.outputs.self_mutation_happened }}
3030
steps:
3131
- name: Checkout
32-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3333
with:
3434
fetch-depth: 0 # full history
3535

.github/workflows/codeql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ jobs:
7373
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
7474
steps:
7575
- name: Checkout repository
76-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
76+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
7777

7878
# Add any setup steps before running the `github/codeql-action/init` action.
7979
# This includes steps like installing compilers or runtimes (`actions/setup-node`

.github/workflows/dependency-review.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ jobs:
88
dependency-review:
99
runs-on: ubuntu-latest
1010
steps:
11-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
11+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
1212
- uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
1313
with:
1414
config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@8e4c9fdde54d2b7c6a3a28b97eddd26c4cd90a66 # main

.github/workflows/merge-prevention.yml

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -45,18 +45,19 @@ jobs:
4545
env:
4646
GH_TOKEN: ${{ github.token }}
4747
PR_LABELS_JSON: ${{ toJson(github.event.pull_request.labels.*.name) }}
48+
PR_NUMBER_EVENT: ${{ github.event.pull_request.number }}
4849
steps:
4950
- name: Get PR info
5051
id: get-pr
5152
run: |
52-
if [ "${{ github.event_name }}" == "merge_group" ]; then
53-
PR_NUMBER=$(echo "${{ github.ref }}" | grep -oP '(?<=/pr-)\d+' || echo "")
54-
PR_LABELS=$(gh api repos/${{ github.repository }}/pulls/$PR_NUMBER | jq -c '[.labels[].name] // []')
53+
if [ "$GITHUB_EVENT_NAME" == "merge_group" ]; then
54+
PR_NUMBER=$(echo "$GITHUB_REF" | grep -oP '(?<=/pr-)\d+' || echo "")
55+
PR_LABELS=$(gh api "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER" | jq -c '[.labels[].name] // []')
5556
echo "::group::Getting Information"
56-
gh api repos/${{ github.repository }}/pulls/$PR_NUMBER
57+
gh api "repos/$GITHUB_REPOSITORY/pulls/$PR_NUMBER"
5758
echo "::endgroup::"
58-
elif [ "${{ github.event_name }}" == "pull_request" ]; then
59-
PR_NUMBER="${{ github.event.pull_request.number }}"
59+
elif [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
60+
PR_NUMBER="$PR_NUMBER_EVENT"
6061
PR_LABELS=$(echo "$PR_LABELS_JSON" | jq -c '.')
6162
fi
6263
echo "::group::Debug Output Values"
@@ -70,8 +71,9 @@ jobs:
7071
needs: get-pr-info
7172
if: always()
7273
steps:
73-
- run: |
74-
PR_NUMBER="${{ needs.get-pr-info.outputs.pr_number }}"
74+
- env:
75+
PR_NUMBER: ${{ needs.get-pr-info.outputs.pr_number }}
76+
run: |
7577
# Default to 0 (allow all) if not set
7678
if [ -z "$HALT_MERGES" ]; then
7779
HALT_MERGES=0
@@ -98,19 +100,21 @@ jobs:
98100
needs: get-pr-info
99101
if: always()
100102
steps:
101-
- run: |
103+
- env:
104+
PR_LABELS: ${{ needs.get-pr-info.outputs.pr_labels }}
105+
run: |
102106
echo "::group::Debug Output Values"
103-
echo "PR_LABELS: ${{ needs.get-pr-info.outputs.pr_labels }}"
107+
echo "PR_LABELS: $PR_LABELS"
104108
echo "::endgroup::"
105-
- name: When PR has the "${{ env.DO_NOT_MERGE_LABEL }}" label
109+
- name: When PR has the do-not-merge label
106110
id: pr-has-label
107111
if: contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL)
108112
run: |
109-
echo "::error::❌ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is used to prevent merging."
113+
echo "::error::❌ The label \"$DO_NOT_MERGE_LABEL\" is used to prevent merging."
110114
exit 1
111-
- name: When PR does not have the "${{ env.DO_NOT_MERGE_LABEL }}" label
115+
- name: When PR does not have the do-not-merge label
112116
id: pr-missing-label
113-
if: ! contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL)
117+
if: ${{ !contains(needs.get-pr-info.outputs.pr_labels, env.DO_NOT_MERGE_LABEL) }}
114118
run: |
115-
echo "::debug::✅ The label \"${{ env.DO_NOT_MERGE_LABEL }}\" is absent"
119+
echo "::debug::✅ The label \"$DO_NOT_MERGE_LABEL\" is absent"
116120
exit 0

.github/workflows/scorecard-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020

2121
steps:
2222
- name: "Checkout code"
23-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
23+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
2424
with:
2525
persist-credentials: false
2626

.github/workflows/security-scanners.yml

Lines changed: 32 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -34,19 +34,32 @@ jobs:
3434
env:
3535
GITLEAKS_VERSION: "8.30.0"
3636
steps:
37-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
37+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3838
with:
3939
fetch-depth: 0
4040
- name: Install gitleaks
4141
run: |
4242
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" | tar -xz;
4343
sudo mv gitleaks /usr/local/bin/;
4444
gitleaks --version;
45-
- name: Run gitleaks (full history)
45+
- name: Run gitleaks
4646
id: gitleaks
47+
env:
48+
# On pull_request, restrict the scan to commits the PR introduces so
49+
# it cannot fail on secrets that live only on other, unmerged branches.
50+
# On push/schedule/dispatch, scan the full history reachable from HEAD.
51+
PR_BASE_REF: ${{ github.base_ref }}
4752
run: |
4853
set +e
49-
gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --report-path=gitleaks-report_sarif.json --report-format=sarif .
54+
# checkout uses fetch-depth: 0, so the base branch is already present
55+
# as origin/<base_ref>; no extra fetch is needed.
56+
if [ "$GITHUB_EVENT_NAME" = "pull_request" ]; then
57+
LOG_OPTS="origin/$PR_BASE_REF..HEAD"
58+
else
59+
LOG_OPTS="HEAD"
60+
fi
61+
echo "::notice::gitleaks scanning range: $LOG_OPTS"
62+
gitleaks git --config=.gitleaks.toml --baseline-path=.gitleaks-baseline.json --log-opts="$LOG_OPTS" --report-path=gitleaks-report_sarif.json --report-format=sarif .
5063
GITLEAKS_EXIT=$?
5164
set -e
5265
echo "exit_code=$GITLEAKS_EXIT" >> "$GITHUB_OUTPUT"
@@ -72,10 +85,10 @@ jobs:
7285
security-events: write
7386
runs-on: ubuntu-latest
7487
steps:
75-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
88+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
7689
- run: |
7790
echo "bandit[sarif]==1.9.3" > requirements.txt
78-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
91+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
7992
with:
8093
python-version: '3.x'
8194
cache: 'pip'
@@ -111,7 +124,7 @@ jobs:
111124
security-events: write
112125
runs-on: ubuntu-latest
113126
steps:
114-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
127+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
115128
- run: |
116129
curl -sSfL https://raw.githubusercontent.com/anchore/grype/43e7e3246ed01b1ec0ff54f9b054201ccbe78e3a/install.sh | sh -s -- -b /usr/local/bin v0.104.3
117130
grype --version
@@ -145,10 +158,10 @@ jobs:
145158
security-events: write
146159
runs-on: ubuntu-latest
147160
steps:
148-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
161+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 #v7.0.0
149162
- run: |
150163
echo "checkov==3.2.500" > requirements.txt
151-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
164+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
152165
with:
153166
python-version: '3.x'
154167
cache: 'pip'
@@ -186,12 +199,12 @@ jobs:
186199
security-events: write
187200
runs-on: ubuntu-latest
188201
steps:
189-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
202+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
190203
with:
191204
fetch-depth: 0 # Required for baseline comparison
192205
- run: |
193206
echo "semgrep==1.151.0" > requirements.txt
194-
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
207+
- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
195208
with:
196209
python-version: '3.x'
197210
cache: 'pip'
@@ -209,33 +222,15 @@ jobs:
209222
BASELINE_ARGS="--baseline-commit $BASELINE_SHA"
210223
fi
211224
212-
# Run semgrep, capture exit code
213-
# Rule exclusions documented in .semgrep.yaml
225+
# Run semgrep against the vendored ruleset (RFC #211).
226+
# Exclusions are baked into tools/semgrep/rules-vendored.yaml
227+
# (source of truth: tools/semgrep/rules-status.toml), so no
228+
# --exclude-rule flags are needed. --config is explicit because
229+
# CI does not inherit mise's SEMGREP_RULES env.
214230
set +e
215-
semgrep scan --oss-only --verbose --metrics=off --config=r/all \
231+
semgrep scan --oss-only --verbose --metrics=off \
232+
--config=tools/semgrep/rules-vendored.yaml \
216233
--max-log-list-entries=0 \
217-
--exclude-rule="bbp-pattern-inject" \
218-
--exclude-rule="ai.generic.detect-generic-ai-anthprop.detect-generic-ai-anthprop" \
219-
--exclude-rule="generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key" \
220-
--exclude-rule="apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers" \
221-
--exclude-rule="apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls" \
222-
--exclude-rule="apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor" \
223-
--exclude-rule="apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements" \
224-
--exclude-rule="apex.lang.security.ncino.encryption.badcrypto.bad-crypto" \
225-
--exclude-rule="apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request" \
226-
--exclude-rule="apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match" \
227-
--exclude-rule="apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match" \
228-
--exclude-rule="apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param" \
229-
--exclude-rule="apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param" \
230-
--exclude-rule="apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level" \
231-
--exclude-rule="apex.lang.security.ncino.system.systemdebug.system-debug" \
232-
--exclude-rule="elixir.lang.best-practice.deprecated-bnot-operator.deprecated_bnot_operator" \
233-
--exclude-rule="elixir.lang.best-practice.deprecated-bxor-operator.deprecated_bxor_operator" \
234-
--exclude-rule="elixir.lang.best-practice.deprecated-calendar-iso-day-of-week-3.deprecated_calendar_iso_day_of_week_3" \
235-
--exclude-rule="elixir.lang.best-practice.deprecated-use-bitwise.deprecated_use_bitwise" \
236-
--exclude-rule="elixir.lang.best-practice.enum-map-into.enum_map_into" \
237-
--exclude-rule="elixir.lang.best-practice.enum-map-join.enum_map_join" \
238-
--exclude-rule="elixir.lang.correctness.atom-exhaustion.atom_exhaustion" \
239234
--sarif-output semgrep-report_sarif.json $BASELINE_ARGS
240235
SEMGREP_EXIT=$?
241236
set -e
@@ -314,7 +309,7 @@ jobs:
314309
--health-timeout 5s
315310
--health-retries 10
316311
steps:
317-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
312+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
318313
- name: Wait for ClamAV service
319314
run: timeout 300 bash -c 'until echo > /dev/tcp/localhost/3310; do sleep 5; done' 2>/dev/null
320315
- run: |
@@ -359,7 +354,7 @@ jobs:
359354
# - if: always()
360355
# run: |
361356
# docker inspect $(docker ps -qf "ancestor=sonarqube:community@sha256:48dd0e946ad6481dde43bb31d1a7af09c22f59be6399b195dcce7b87d82c5f40") | jq '.[] | {"test": .Config.Healthcheck.Test, "state": .State.Health}'
362-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
357+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
363358
with:
364359
fetch-depth: 0
365360
- name: Wait for SonarQube to be ready

.github/workflows/upgrade-main.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
patch_created: ${{ steps.create_patch.outputs.patch_created }}
3333
steps:
3434
- name: Checkout
35-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
35+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
3636
with:
3737
ref: main
3838

@@ -73,7 +73,7 @@ jobs:
7373
if: ${{ needs.upgrade.outputs.patch_created }}
7474
steps:
7575
- name: Checkout
76-
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
76+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
7777
with:
7878
ref: main
7979

.gitleaks.toml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,12 @@ description = "Global allowlist"
1313
paths = [
1414
'''\.gitleaksignore$''',
1515
'''\.gitleaks-baseline\.json$''',
16+
# Vendored Semgrep ruleset (RFC #211): contains secret-detection regexes
17+
# that gitleaks would false-positive on. Generated by tools/semgrep/rules-update.py.
18+
# gitleaks scans full history, so we allowlist BOTH the current filename and
19+
# the former name (r-all.active.yaml) it carried in earlier branch commits.
20+
'''tools/semgrep/rules-vendored\.yaml$''',
21+
'''tools/semgrep/r-all\.active\.yaml$''',
1622
]
1723

1824
# Example: Add custom rules or override defaults

.pre-commit-config.yaml

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,14 @@
1+
# The generated, byte-for-byte vendored Semgrep ruleset (RFC #211) is produced
2+
# by tools/semgrep/rules-update.py and must stay identical to the upstream
3+
# download. It necessarily contains detection patterns (private-key markers,
4+
# example secrets, non-permalink URLs) and exceeds size limits, so ALL content
5+
# hooks must skip it; any autofix hook would corrupt the ruleset. The
6+
# hand-authored rules-update.py and rules-status.toml stay in scope on purpose.
7+
exclude: |
8+
(?x)^(
9+
tools/semgrep/rules-vendored\.yaml
10+
)$
11+
112
repos:
213
- repo: https://github.com/pre-commit/pre-commit-hooks
314
rev: v6.0.0
@@ -56,7 +67,7 @@ repos:
5667
rev: v1.151.0
5768
hooks:
5869
- id: semgrep
59-
args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=r/all', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ]
70+
args: [ '--oss-only', '--verbose', '--metrics=off', '--baseline-commit', 'main', '--config=tools/semgrep/rules-vendored.yaml', '--max-log-list-entries=0', '--sarif-output', '.tmp/semgrep.sarif.json', '--error' ]
6071
stages: [pre-push]
6172
- repo: https://github.com/bridgecrewio/checkov
6273
rev: 3.2.500

.semgrep.yaml

Lines changed: 0 additions & 44 deletions
This file was deleted.

0 commit comments

Comments
 (0)