Skip to content

IT Security Code Scan #1

IT Security Code Scan

IT Security Code Scan #1

# This configuration/runner/tools is maintained by IT Security Team, any unauthorized changes will be detected and considered as violation against IT Security Policy
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
name: "IT Security Code Scan"
on:
push:
# The branches below must be a subset of the branches above
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'
- '**/*.yml'
- '**/*.yaml'
pull_request:
# The branches below must be a subset of the branches above
branches: [main]
paths-ignore:
- '**/*.md'
- '**/*.txt'
- '**/*.yml'
- '**/*.yaml'
workflow_dispatch:
jobs:
analyze:
name: Analyze
runs-on: [runnerset=code-scanning-runners]
if: ${{ github.actor != 'dependabot[bot]' }}
permissions: write-all
env:
CODEQL_RAM: 8192
CODEQL_THREADS: 2
GOPRIVATE: github.com/tokopedia/*
strategy:
fail-fast: false
matrix:
# Override automatic language detection by changing the below list
# Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
language: ['javascript']
# Learn more...
# https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
steps:
- name: Google Auth
id: auth
uses: google-github-actions/auth@v0
with:
token_format: 'access_token'
workload_identity_provider: 'projects/208021311280/locations/global/workloadIdentityPools/github-identity-pool/providers/code-scanning-pool-provider'
service_account: wif-code-scanning@secrets-management-staging.iam.gserviceaccount.com
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v0'
- id: 'secrets'
uses: 'google-github-actions/get-secretmanager-secrets@v1'
with:
min_mask_length: '20'
secrets: |-
codescanner-credential:${{ secrets.CODESCANNER_GSM }}/appsec-codescanner-key
- name: Check out itsec-sdk-go
uses: actions/checkout@v3
with:
repository: tokopedia/itsec-sdk-go
ref: main
ssh-key: ${{ steps.secrets.outputs.codescanner-credential}}
path: ./.github/actions/itsec-sdk-go
- name: Setup SSH
uses: ./.github/actions/itsec-sdk-go/ssh-setup-action
with:
host: github.com
private-key: ${{ steps.secrets.outputs.codescanner-credential }}
- name: Checkout repository
uses: actions/checkout@v2
- run: git config --global --add url."git@github.com:".insteadOf "https://github.com/"
- name: Set Up Go
if: matrix.language == 'go'
uses: actions/setup-go@v2
with:
go-version: 1.19
- name: Set Up Node
if: matrix.language == 'javascript'
uses: actions/setup-node@v3
with:
node-version: '14'
- name: Set Up Python
if: matrix.language == 'python'
uses: actions/setup-python@v3
with:
python-version: '3.x'
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
#- run: |
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2