Skip to content

Commit 42c32ee

Browse files
feat: GitHub setup incremental improvements (#11)
* feat: add pre-commit, pull request template, and fixes Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add bandit baseline Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: markdown lint Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: change the baseline commit for semgrep Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * chore: update pre-commit hooks Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: validator cross refs for plugins Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add validate cross references to ci Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add advanced CodeQL Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * docs: add CODEOWNERS file Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: ignore more feature Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: stuff Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: remove push Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: unmatrix pre-commit Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: gitleaks ignore Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: semgrep only on pre-push Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * Add Dependency Review workflow for pull requests Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add grype and checkov Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: update filelock Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: update virtualenv Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add codeql and dependency review Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: addressing comments Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: remove hardcoded repo Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: updated mise version Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: rename scanners workflow Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add pull request linting workflow Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: CODEOWNERS updates Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: concurrency and switching notice to debug Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: title Scorecard Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: naming and remove allowed license Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: bandit to main commit hash Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: add semgrep ignore file Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: pin actions Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: update gitleaks ignore file Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: move pr template Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: mise install installs dprint Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: convert SemGrep text values to severity Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: convert SemGrep text values case-insensitive to severity Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: location for sonarqube line Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: semgrep exclusion Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: add nosemgrep for rule Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: max log list entries Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: exlcude pro version Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: 19 pro exlcuded Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: trail of bits * fix: add nosemgrep within the option Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: sarif output from base32d to base64 Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: make non-zero exit codes Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: prior false positive gitleaks baseline Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: add checkov and bandit Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: gitleaks baseline update Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: remove bandit baseline Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * Claude code pr-review-kit Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: updated hash for codeql Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat: added pre-commit and updated workflows Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: add security scanners Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: add grype to mise Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * fix: semgrep fix in toml Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> --------- Signed-off-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
1 parent 551c360 commit 42c32ee

13 files changed

Lines changed: 403 additions & 69 deletions

.bandit-baseline.json

Lines changed: 0 additions & 20 deletions
This file was deleted.

.github/PULL_REQUEST_TEMPLATE/pull_request_template.md renamed to .github/pull_request_template.md

File renamed without changes.

.github/workflows/codeql.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ jobs:
7373
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
7474
steps:
7575
- name: Checkout repository
76-
uses: actions/checkout@v4
76+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
7777

7878
# Add any setup steps before running the `github/codeql-action/init` action.
7979
# This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -83,7 +83,7 @@ jobs:
8383

8484
# Initializes the CodeQL tools for scanning.
8585
- name: Initialize CodeQL
86-
uses: github/codeql-action/init@v4
86+
uses: github/codeql-action/init@74c8748a6f2dada2c01b25ae170d7858ac90f4af # v4.32.2
8787
with:
8888
languages: ${{ matrix.language }}
8989
build-mode: ${{ matrix.build-mode }}
@@ -112,6 +112,6 @@ jobs:
112112
exit 1
113113
114114
- name: Perform CodeQL Analysis
115-
uses: github/codeql-action/analyze@v4
115+
uses: github/codeql-action/analyze@74c8748a6f2dada2c01b25ae170d7858ac90f4af # v4.32.2
116116
with:
117117
category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,9 @@ jobs:
88
dependency-review:
99
runs-on: ubuntu-latest
1010
steps:
11-
- uses: actions/checkout@v4
12-
- uses: actions/dependency-review-action@v4
11+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
12+
- uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
1313
with:
14-
config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@main
14+
config-file: amazon-ospo/dependency-review-config/default/dependency-review-config.yml@8e4c9fdde54d2b7c6a3a28b97eddd26c4cd90a66 # main
1515
# # distlib
1616
# allow-dependencies-licenses: "pkg:pypi/distlib@0.4.0"

.github/workflows/quality.yml

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ on:
55
branches: [main]
66
pull_request:
77
branches: [main]
8+
workflow_dispatch:
89
permissions:
910
actions: none
1011
attestations: none
@@ -29,18 +30,13 @@ jobs:
2930
runs-on: ubuntu-latest
3031
steps:
3132
- name: Checkout
32-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3334

3435
- name: Setup mise
35-
uses: jdx/mise-action@v3
36+
uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
3637
with:
3738
cache: true
3839

39-
- name: Install dprint
40-
run: |
41-
curl -fsSL https://dprint.dev/install.sh | sh
42-
echo "$HOME/.dprint/bin" >> $GITHUB_PATH
43-
4440
- name: Check formatting
4541
run: mise run fmt:check
4642

.github/workflows/scorecard-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020

2121
steps:
2222
- name: "Checkout code"
23-
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
23+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2424
with:
2525
persist-credentials: false
2626

0 commit comments

Comments
 (0)