diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 69f2fbfc1..3d200ea0c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -62,6 +62,26 @@ jobs: cd ouds_theme_sosh flutter test + gitleaks: + name: Scan for leaks with Gitleaks + runs-on: ubuntu-latest + timeout-minutes: 30 + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Run Gitleaks Scan + run: | + curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_x64.tar.gz -o /tmp/gitleaks.tar.gz + tar -xzf /tmp/gitleaks.tar.gz -C /tmp + sudo mv /tmp/gitleaks /usr/local/bin/gitleaks + gitleaks detect --source . --config .gitleaks.toml -v --redact + continue-on-error: true + build-android: runs-on: ubuntu-latest needs: test diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 940cb48d6..841fcb0fc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,3 @@ - if: always() # Software Name: OUDS Flutter # SPDX-FileCopyrightText: Copyright (c) Orange SA # SPDX-License-Identifier: MIT @@ -27,7 +26,7 @@ concurrency: jobs: analyze-dart: - name: Dart & Flutter Analysis + name: Analyze Dart & Flutter code runs-on: ubuntu-latest timeout-minutes: 60 @@ -46,7 +45,7 @@ jobs: uses: ./.github/actions/setup - name: Cache Pub packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.pub-cache key: ${{ runner.os }}-pubcache-${{ hashFiles('**/pubspec.lock') }} diff --git a/.github/workflows/dartdoc-gh-pages.yml b/.github/workflows/dartdoc-gh-pages.yml index 2b8e64c65..f93d6084c 100644 --- a/.github/workflows/dartdoc-gh-pages.yml +++ b/.github/workflows/dartdoc-gh-pages.yml @@ -32,21 +32,21 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: submodules: recursive - name: Setup Dart - uses: dart-lang/setup-dart@v1 + uses: dart-lang/setup-dart@e51d8e571e22473a2ddebf0ef8a2123f0ab2c02c # v1.7.1 with: sdk: stable - name: Setup environment uses: ./.github/actions/setup - name: Setup Pages - uses: actions/configure-pages@v3 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0 with: - ruby-version: 3.3.5 + ruby-version: 3.3.4 - name: Build with Dartdoc run: | cd ouds_core @@ -62,7 +62,7 @@ jobs: cp ouds_core/assets/doc/orange_logo.svg ./docs/assets/ cp ouds_core/assets/doc/banner.png ./docs/assets/ - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: ./docs @@ -76,10 +76,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9 with: name: github-pages diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml deleted file mode 100644 index f57e241ab..000000000 --- a/.github/workflows/gitleaks.yml +++ /dev/null @@ -1,64 +0,0 @@ -# Software Name: OUDS Flutter -# SPDX-FileCopyrightText: Copyright (c) Orange SA -# SPDX-License-Identifier: MIT -# -# This software is distributed under the MIT license, -# the text of which is available at https://opensource.org/license/MIT/ -# or see the "LICENSE" file for more details. -# -# Software description: Flutter library of reusable graphical components - -name: Gitleaks - Secret Scanning - -on: - push: - pull_request: - types: - - opened - - synchronize - - reopened - schedule: - - cron: '0 2 * * 1' - workflow_dispatch: - -permissions: - contents: read - -concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true - -jobs: - gitleaks: - name: Gitleaks Secret Scanning - runs-on: ubuntu-latest - timeout-minutes: 30 - - permissions: - contents: read - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - fetch-depth: 0 - - - name: Run Gitleaks Scan - run: | - echo "🔍 Installing Gitleaks v8.24.3..." - curl -sSfL https://github.com/gitleaks/gitleaks/releases/download/v8.24.3/gitleaks_8.24.3_linux_x64.tar.gz -o /tmp/gitleaks.tar.gz - tar -xzf /tmp/gitleaks.tar.gz -C /tmp - sudo mv /tmp/gitleaks /usr/local/bin/gitleaks - - echo "📋 Gitleaks version:" - gitleaks version - - echo "🔎 Scanning for secrets..." - gitleaks detect --source . --config .gitleaks.toml -v --redact - continue-on-error: true - - - name: Report Summary - if: always() - run: | - echo "✅ Gitleaks secret scan complete" - echo "🔒 No secrets detected in repository history" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index d64ece676..c28084d08 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -26,7 +26,7 @@ concurrency: jobs: semgrep: - name: Semgrep SAST Scan + name: Scan for vulnerabilities with Semgrep runs-on: ubuntu-latest timeout-minutes: 60 @@ -45,7 +45,7 @@ jobs: - name: Run Semgrep SAST Analysis run: | - semgrep ci \ + semgrep scan \ --sarif \ --output semgrep.sarif \ --config auto \ @@ -54,13 +54,21 @@ jobs: --exclude "*.g.dart" \ --exclude "*.freezed.dart" \ --exclude "test/" \ - --exclude ".github/" - env: - SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} + --exclude ".github/" \ + . continue-on-error: true + - name: Check SARIF file + run: | + if [ -f semgrep.sarif ]; then + echo "✅ SARIF generated: $(du -sh semgrep.sarif)" + else + echo "⚠️ SARIF not found, creating empty SARIF..." + echo '{"version":"2.1.0","runs":[{"tool":{"driver":{"name":"Semgrep","rules":[]}},"results":[]}]}' > semgrep.sarif + fi + - name: Upload Semgrep SARIF - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 + uses: github/codeql-action/upload-sarif@b0565cb28b456da32509aef995361ffcc63f40b0 # v3.28.15 with: sarif_file: semgrep.sarif category: semgrep-security diff --git a/app/CHANGELOG.md b/app/CHANGELOG.md index 2ac3fc27f..bf6c7b63b 100644 --- a/app/CHANGELOG.md +++ b/app/CHANGELOG.md @@ -14,15 +14,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Library] Manage Helvetica Neue Arabic font ([#404](https://github.com/Orange-OpenSource/ouds-flutter/issues/404)) ### Changed -- [Tool] improve dartDoc permissions ([#664](https://github.com/Orange-OpenSource/ouds-flutter/issues/664)) -- [Tool] Improve OSSF score ([#659](https://github.com/Orange-OpenSource/ouds-flutter/issues/659)) - [DemoApp][Library] Downgrade to Flutter SDK 3.35 and update documentation ([#656](https://github.com/Orange-OpenSource/ouds-flutter/issues/656)) - [DemoApp] Unused dependency detected in Flutter demo app ([#646](https://github.com/Orange-OpenSource/ouds-flutter/issues/646)) - [DemoApp][Library] Remove OudsTagConfig and add rounded corner into `Tag` ([#598](https://github.com/Orange-OpenSource/ouds-flutter/issues/598)) - [DemoApp][Library] Update uses icons of status in `badge` and `tag` ([#597](https://github.com/Orange-OpenSource/ouds-flutter/issues/597)) ### Fixed -- [Tool] Deploy Dartdoc with GitHub Pages dependencies ([#662](https://github.com/Orange-OpenSource/ouds-flutter/issues/662)) - [DemoApp] `About` Text Overflow Issue in Arabic language ([#640](https://github.com/Orange-OpenSource/ouds-flutter/issues/640)) - [Library] `Checkbox` Incorrect accessibility label ([#514](https://github.com/Orange-OpenSource/ouds-flutter/issues/514)) - [Library] `Input Tag` The whole component should have the role button ([#481](https://github.com/Orange-OpenSource/ouds-flutter/issues/481))