diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..915cd9a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,32 @@ +version: 2 + +updates: + - package-ecosystem: nuget + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 10 + labels: + - dependencies + - security + + - package-ecosystem: npm + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - security + + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + open-pull-requests-limit: 5 + labels: + - dependencies + - ci diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..dbad03e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,39 @@ +name: CodeQL + +on: + push: + branches: [main] + pull_request: + branches: [main] + schedule: + - cron: "0 6 * * 1" + +permissions: + security-events: write + contents: read + +jobs: + analyze: + name: CodeQL Analysis + runs-on: windows-latest + + steps: + # actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + + # github/codeql-action/init@v3 + - name: Initialize CodeQL + uses: github/codeql-action/init@480db559a14342288b67e54bd959dd52dc3ee68f + with: + languages: csharp + queries: security-extended + + # github/codeql-action/autobuild@v3 + - name: Autobuild + uses: github/codeql-action/autobuild@480db559a14342288b67e54bd959dd52dc3ee68f + + # github/codeql-action/analyze@v3 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@480db559a14342288b67e54bd959dd52dc3ee68f + with: + category: "/language:csharp" diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..0c020f2 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,50 @@ +name: Security Scan + +on: + push: + branches: [main] + pull_request: + branches: [main] + +permissions: + contents: read + security-events: write + +jobs: + gitleaks: + name: Secret Scanning + runs-on: ubuntu-latest + + steps: + # actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + fetch-depth: 0 + + # gitleaks/gitleaks-action@v2 + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + semgrep: + name: Semgrep SAST + runs-on: ubuntu-latest + + container: + image: semgrep/semgrep + + steps: + # actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + + - name: Run Semgrep + run: semgrep scan --config "p/csharp" --config "p/secrets" --config "p/owasp-top-ten" --config "p/javascript" --sarif --output semgrep-results.sarif + + # github/codeql-action/upload-sarif@v3 + - name: Upload Semgrep SARIF + uses: github/codeql-action/upload-sarif@480db559a14342288b67e54bd959dd52dc3ee68f + if: always() + with: + sarif_file: semgrep-results.sarif + category: semgrep diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..6d71e54 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,30 @@ +name: Tests + +on: + push: + branches: ["*"] + pull_request: + branches: [main, master] + +jobs: + test: + runs-on: windows-latest + + steps: + - uses: actions/checkout@v4 + + - name: Restore packages + run: dotnet restore + + - name: Build + run: dotnet build -c Release --no-restore + + - name: Run tests + run: dotnet test src/SimSteward.Plugin.Tests/SimSteward.Plugin.Tests.csproj -c Release --no-build --logger trx --results-directory TestResults -v normal + + - name: Upload test results + uses: actions/upload-artifact@v4 + if: always() + with: + name: test-results + path: TestResults/