Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump elliptic from 6.5.3 to 6.5.4 #14

Closed
wants to merge 7 commits into from
Closed
Show file tree
Hide file tree
Changes from 6 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: 2
updates:
- package-ecosystem: "github-actions"
# default location of `.github/workflows`
directory: "/"
schedule:
interval: "weekly"

- package-ecosystem: "nuget"
# location of package manifests
directory: "/"
schedule:
interval: "daily"

# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
44 changes: 44 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: CodeQL Analysis

on:
push:
pull_request:
workflow_dispatch:
schedule:
- cron: '0 8 * * *'

jobs:
analyze:
name: codeql-analysis
runs-on: windows-latest
steps:
# Due to the insufficient memory allocated by default, CodeQL sometimes requires more to be manually allocated
- name: Configure Pagefile
id: config_pagefile
uses: al-cheb/configure-pagefile-action@v1.2
with:
minimum-size: 8GB
maximum-size: 32GB
disk-root: "D:"

- name: Checkout repository
id: checkout_repo
uses: actions/checkout@v2

- name: Initialize CodeQL
id: init_codeql
uses: github/codeql-action/init@v1
with:
queries: security-and-quality

- name: Build project
id: build_project
shell: pwsh
run: |
dotnet build ./src/RestSharp/RestSharp.csproj -c Release

- name: Perform CodeQL Analysis
id: analyze_codeql
uses: github/codeql-action/analyze@v1

# Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
67 changes: 67 additions & 0 deletions docs/CI-CD_DOCUMENTATION/CI-CD_DOCUMENTATION.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# RestSharp CI/CD documentation

## 1. Set up Dependabot

Dependabot is a GitHub native security tool that goes through the dependencies in the project and creates alerts, and PRs with updates when a new and/or non-vulnerable version is found.

- for PRs with version updates, this pipeline comes pre-configured for all current dependency sources in the project, so at "Insights" tab -> "Dependency graph" -> "Dependabot", you should be able to see all tracked sources of dependencies, when they have been checked last and view a full log of the last check

![Dependabot_tab](/docs/CI-CD_DOCUMENTATION/Dependabot_tab.png)

![Dependabot_log_page](/docs/CI-CD_DOCUMENTATION/Dependabot_log_page.png)

### Set up security alerts and updates
##### - GitHub, through Dependabot, also natively offers a security check for vulnerable dependencies

1. Go to the project's GitHub repository and click on the **Settings** tab

2. Go to **Security & analysis** section

3. Click "Enable" for both "Dependabot alerts" and "Dependabot security updates"

- By enabling "Dependabot alerts", you would be notified for any vulnerable dependencies in the project. At "Security" tab -> "Dependabot alerts", you can manage all alerts. By clicking on an alert, you would be able to see a detailed explanation of the vulnerability and a viable solution.

![Dependabot_alerts_page](/docs/CI-CD_DOCUMENTATION/Dependabot_alerts_page.png)

![Dependabot_alert_page](/docs/CI-CD_DOCUMENTATION/Dependabot_alert_page.png)

- By enabling "Dependabot security updates", you authorize Dependabot to create PRs specifically for **security updates**

![Dependabot_PRs](/docs/CI-CD_DOCUMENTATION/Dependabot_PRs.png)

### Set up Dependency graph
##### - The "Dependency graph" option should be enabled by default for all public repos, but in case it isn't:

1. Go to the project's GitHub repository and click on the **Settings** tab

2. Go to **Security & analysis** section

3. Click "Enable" for the "Dependency graph" option

- this option enables the "Insights" tab -> "Dependency graph" section -> "Dependencies" tab, in which all the dependencies for the project are listed, under the different manifests they are included in

![Dependabot_dependency_graph](/docs/CI-CD_DOCUMENTATION/Dependabot_dependency_graph.png)

NOTE: **screenshots are only exemplary**

<br>

## 2. CodeQL

CodeQL is GitHub's own industry-leading semantic code analysis engine. CodeQL requires no setup, because it comes fully pre-configured by us.

To activate it and see its results, only a push commit or a merge of a PR to the default branch of your repository, is required.

We've also configured CodeQL to run on schedule, so every day at 8:00AM UTC, it automatically tests the code.

- you can see the results here at **Security** tab -> **Code scanning alerts** -> **CodeQL**:

![CodeQL_results](/docs/CI-CD_DOCUMENTATION/CodeQL_results.png)

- on the page of each result, you can see an explanation of what the problem is and also one or more solutions:

![CodeQL_alert_page](/docs/CI-CD_DOCUMENTATION/CodeQL_alert_page.png)

#

Built with ❤ by [Pipeline Foundation](https://pipeline.foundation)
Binary file added docs/CI-CD_DOCUMENTATION/CodeQL_alert_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/CI-CD_DOCUMENTATION/CodeQL_results.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/CI-CD_DOCUMENTATION/Dependabot_PRs.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/CI-CD_DOCUMENTATION/Dependabot_log_page.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added docs/CI-CD_DOCUMENTATION/Dependabot_tab.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.