-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
13 changed files
with
312 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,99 @@ | ||
--- | ||
name: MegaLinter | ||
|
||
# yamllint disable-line rule:truthy | ||
on: | ||
# Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default. | ||
pull_request: | ||
branches: | ||
- main | ||
workflow_dispatch: | ||
|
||
|
||
permissions: | ||
contents: write | ||
issues: write | ||
pull-requests: write | ||
|
||
env: | ||
# Comment env block if you do not want to apply fixes | ||
# Apply linter fixes configuration | ||
APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) | ||
APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) | ||
APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) | ||
|
||
concurrency: | ||
group: ${{ github.ref }}-${{ github.workflow }} | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
build: | ||
name: MegaLinter | ||
runs-on: ubuntu-latest | ||
permissions: write-all | ||
steps: | ||
# Git Checkout | ||
- name: Checkout Code | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4 | ||
with: | ||
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | ||
fetch-depth: 0 | ||
|
||
# MegaLinter | ||
- name: MegaLinter | ||
id: ml | ||
uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0 | ||
env: | ||
VALIDATE_ALL_CODEBASE: true | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
# Upload MegaLinter artifacts | ||
- name: Archive production artifacts | ||
if: always() | ||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3 | ||
with: | ||
name: MegaLinter reports | ||
path: | | ||
megalinter-reports | ||
megalinter-reports/megalinter.log | ||
# Create pull request if applicable (for now works only on PR from same repository, not from forks) | ||
- name: Create Pull Request with applied fixes | ||
id: cpr | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5 | ||
with: | ||
token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} | ||
commit-message: "[MegaLinter] Apply linters automatic fixes" | ||
title: "[MegaLinter] Apply linters automatic fixes" | ||
labels: bot | ||
- name: Create PR output | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
run: | | ||
echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}" | ||
echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}" | ||
# Push new commit if applicable (for now works only on PR from same repository, not from forks) | ||
- name: Prepare commit | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
run: sudo chown -Rc $UID .git/ | ||
- name: Commit and push applied linter fixes | ||
if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository) | ||
uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5 | ||
with: | ||
branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }} | ||
commit_message: "[MegaLinter] Apply linters fixes" | ||
commit_user_name: megalinter-bot | ||
commit_user_email: nicolas.vuillamy@ox.security | ||
|
||
- name: Check to see if the SARIF a was generated | ||
id: sarif_file_exists | ||
uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2 | ||
with: | ||
files: "megalinter-reports/megalinter-report.sarif" | ||
|
||
- name: Upload MegaLinter scan results to GitHub Security tab | ||
if: steps.sarif_file_exists.outputs.files_exists == 'true' | ||
uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2 | ||
with: | ||
sarif_file: "megalinter-reports/megalinter-report.sarif" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -120,3 +120,6 @@ web_modules/ | |
_site | ||
public | ||
node_modules | ||
|
||
megalinter-reports | ||
reports |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
|
||
title = "gitleaks config" | ||
|
||
[extend] | ||
# useDefault will extend the base configuration with the default gitleaks config: | ||
# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml | ||
useDefault = true | ||
|
||
[allowlist] | ||
description = "Allowlisted files" | ||
paths = [ | ||
'''.automation/test''', | ||
'''megalinter-reports''', | ||
'''.github/linters''', | ||
'''node_modules''', | ||
'''.mypy_cache''', | ||
'''(.*?)gitleaks\.toml$''', | ||
'''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''', | ||
'''(go.mod|go.sum)$'''] | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
fail-on-severity: "high" | ||
|
||
exclude: | ||
- './node_modules/**' | ||
- './.git/**' | ||
- './.github/**' | ||
- './_site/**' | ||
|
||
ignore: | ||
|
||
# Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail | ||
# @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225 | ||
- vulnerability: CVE-2018-20225 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
{ | ||
"retryOn429": true, | ||
"retryCount": 5, | ||
"aliveStatusCodes": [200, 203], | ||
"ignorePatterns": [ | ||
{ | ||
"pattern": "^https?://github.com/" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
--- | ||
blanks-around-fences: false | ||
blanks-around-headings: false | ||
blanks-around-lists: false | ||
code-fence-style: false | ||
emphasis-style: false | ||
heading-start-left: false | ||
hr-style: false | ||
list-indent: false | ||
list-marker-space: false | ||
no-blanks-blockquote: false | ||
no-hard-tabs: false | ||
no-missing-space-atx: false | ||
no-missing-space-closed-atx: false | ||
no-multiple-blanks: false | ||
no-multiple-space-atx: false | ||
no-multiple-space-blockquote: false | ||
no-multiple-space-closed-atx: false | ||
no-trailing-spaces: false | ||
ol-prefix: false | ||
strong-style: false | ||
ul-indent: false | ||
|
||
MD013: | ||
line_length: 999 | ||
heading_line_length: 999 | ||
code_block_line_length: 999 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
--- | ||
# don't test the reports Mega-Linter created, docs, or test files | ||
ADDITIONAL_EXCLUDED_DIRECTORIES: [ | ||
report, | ||
megalinter-reports, | ||
docs, | ||
node_modules, | ||
_site, | ||
] | ||
|
||
# don't lint test files or documentation | ||
FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html) | ||
|
||
# don't scan files listed in .gitignore (e.g., node_modules) | ||
IGNORE_GITIGNORED_FILES: true | ||
|
||
# Disable devskim as it's reporting an error with no log message | ||
DISABLE_LINTERS: | ||
[ | ||
REPOSITORY_DEVSKIM, | ||
SPELL_MISSPELL, | ||
SPELL_CSPELL, | ||
SPELL_PROSELINT, | ||
COPYPASTE_JSCPD, | ||
BASH_EXEC, | ||
] | ||
|
||
# only scan new / updated files, not everything | ||
VALIDATE_ALL_CODEBASE: true | ||
|
||
# don't print the alpaca -- it's cute, but we don't need it in the logs | ||
PRINT_ALPACA: false | ||
|
||
# write a SARIF file | ||
SARIF_REPORTER: true | ||
|
||
# don't fail on finding (yet) | ||
DISABLE_ERRORS: true | ||
|
||
# use prettier for JavaScript code formatting | ||
JAVASCRIPT_DEFAULT_STYLE: prettier | ||
|
||
# only scan the files in This commit, not the entire history of the repo | ||
REPOSITORY_GITLEAKS_ARGUMENTS: --no-git | ||
|
||
# don't lint the generated code in the docs/ directory | ||
REPOSITORY_DEVSKIM_ARGUMENTS: "--skip-git-ignored-files" | ||
|
||
# shfmt will.. | ||
# - use multiples of 2 spaces for indenting | ||
# - alllow binary operations to start new lines | ||
# - indent switch case statements | ||
# - place spaces around redirections | ||
# - keep column alignment padding | ||
BASH_SHFMT_ARGUMENTS: -i 2 -bn -ci -sr -kp | ||
|
||
REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore" |
Oops, something went wrong.