forked from pipeline-foundation/RestSharp
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Implement DevSecOps through GitHub's Dependabot and CodeQL
- Loading branch information
Showing
11 changed files
with
126 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "github-actions" | ||
| # default location of `.github/workflows` | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
|
|
||
| - package-ecosystem: "nuget" | ||
| # location of package manifests | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" | ||
|
|
||
| # Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| name: CodeQL Analysis | ||
|
|
||
| on: | ||
| push: | ||
| pull_request: | ||
| workflow_dispatch: | ||
| schedule: | ||
| - cron: '0 8 * * *' | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: codeql-analysis | ||
| runs-on: windows-latest | ||
| steps: | ||
| # Due to the insufficient memory allocated by default, CodeQL sometimes requires more to be manually allocated | ||
| - name: Configure Pagefile | ||
| id: config_pagefile | ||
| uses: al-cheb/configure-pagefile-action@v1.2 | ||
| with: | ||
| minimum-size: 8GB | ||
| maximum-size: 32GB | ||
| disk-root: "D:" | ||
|
|
||
| - name: Checkout repository | ||
| id: checkout_repo | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Initialize CodeQL | ||
| id: init_codeql | ||
| uses: github/codeql-action/init@v1 | ||
| with: | ||
| queries: security-and-quality | ||
|
|
||
| - name: Build project | ||
| id: build_project | ||
| shell: pwsh | ||
| run: | | ||
| dotnet build ./src/RestSharp/RestSharp.csproj -c Release | ||
| - name: Perform CodeQL Analysis | ||
| id: analyze_codeql | ||
| uses: github/codeql-action/analyze@v1 | ||
|
|
||
| # Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # RestSharp CI/CD documentation | ||
|
|
||
| ## 1. Set up Dependabot | ||
|
|
||
| Dependabot is a GitHub native security tool that goes through the dependencies in the project and creates alerts, and PRs with updates when a new and/or non-vulnerable version is found. | ||
|
|
||
| - for PRs with version updates, this pipeline comes pre-configured for all current dependency sources in the project, so at "Insights" tab -> "Dependency graph" -> "Dependabot", you should be able to see all tracked sources of dependencies, when they have been checked last and view a full log of the last check | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| ### Set up security alerts and updates | ||
| ##### - GitHub, through Dependabot, also natively offers a security check for vulnerable dependencies | ||
|
|
||
| 1. Go to the project's GitHub repository and click on the **Settings** tab | ||
|
|
||
| 2. Go to **Security & analysis** section | ||
|
|
||
| 3. Click "Enable" for both "Dependabot alerts" and "Dependabot security updates" | ||
|
|
||
| - By enabling "Dependabot alerts", you would be notified for any vulnerable dependencies in the project. At "Security" tab -> "Dependabot alerts", you can manage all alerts. By clicking on an alert, you would be able to see a detailed explanation of the vulnerability and a viable solution. | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| - By enabling "Dependabot security updates", you authorize Dependabot to create PRs specifically for **security updates** | ||
|
|
||
|  | ||
|
|
||
| ### Set up Dependency graph | ||
| ##### - The "Dependency graph" option should be enabled by default for all public repos, but in case it isn't: | ||
|
|
||
| 1. Go to the project's GitHub repository and click on the **Settings** tab | ||
|
|
||
| 2. Go to **Security & analysis** section | ||
|
|
||
| 3. Click "Enable" for the "Dependency graph" option | ||
|
|
||
| - this option enables the "Insights" tab -> "Dependency graph" section -> "Dependencies" tab, in which all the dependencies for the project are listed, under the different manifests they are included in | ||
|
|
||
|  | ||
|
|
||
| NOTE: **screenshots are only exemplary** | ||
|
|
||
| <br> | ||
|
|
||
| ## 2. CodeQL | ||
|
|
||
| CodeQL is GitHub's own industry-leading semantic code analysis engine. CodeQL requires no setup, because it comes fully pre-configured by us. | ||
|
|
||
| To activate it and see its results, only a push commit or a merge of a PR to the default branch of your repository, is required. | ||
|
|
||
| We've also configured CodeQL to run on schedule, so every day at 8:00AM UTC, it automatically tests the code. | ||
|
|
||
| - you can see the results here at **Security** tab -> **Code scanning alerts** -> **CodeQL**: | ||
|
|
||
|  | ||
|
|
||
| - on the page of each result, you can see an explanation of what the problem is and also one or more solutions: | ||
|
|
||
|  | ||
|
|
||
| # | ||
|
|
||
| Built with ❤ by [Pipeline Foundation](https://pipeline.foundation) |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.