diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e4762fe7c..f96c78a62 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,26 +1,27 @@ -* @centreon/owners-connectors +* @centreon/owners-connectors -*.md @centreon/owners-doc -*.mdx @centreon/owners-doc +*.md @centreon/owners-doc +*.mdx @centreon/owners-doc -*.cmake @centreon/owners-cpp -CMakeLists.txt @centreon/owners-cpp -Makefile @centreon/owners-cpp +*.cmake @centreon/owners-cpp +CMakeLists.txt @centreon/owners-cpp +Makefile @centreon/owners-cpp -*.pm @centreon/owners-perl -*.pl @centreon/owners-perl -*.t @centreon/owners-perl +*.pm @centreon/owners-perl +*.pl @centreon/owners-perl +*.t @centreon/owners-perl -*.py @centreon/owners-python +*.py @centreon/owners-python -*.sh @centreon/owners-bash +*.sh @centreon/owners-bash -tests/** @centreon/owners-robot-e2e +tests/** @centreon/owners-robot-e2e -.github/** @centreon/owners-pipelines -packaging/** @centreon/owners-perl -selinux/** @centreon/owners-pipelines -.github/scripts/pod_spell_check.t @centreon/owners-perl +.github/** @centreon/owners-pipelines +packaging/** @centreon/owners-perl +selinux/** @centreon/owners-pipelines +.github/scripts/pod_spell_check.t @centreon/owners-perl -.gitleaks.toml @centreon/owners-security -.gitleaksignore @centreon/owners-security +.gitleaks.toml @centreon/owners-security +.gitleaksignore @centreon/owners-security +**/checkmarx-analysis.yml @centreon/owners-security diff --git a/.github/workflows/checkmarx-analysis.yml b/.github/workflows/checkmarx-analysis.yml new file mode 100644 index 000000000..be219a0be --- /dev/null +++ b/.github/workflows/checkmarx-analysis.yml @@ -0,0 +1,68 @@ +name: Checkmarx scans + +on: + workflow_call: + inputs: + module_name: + required: true + type: string + module_directory: + required: false + type: string + + secrets: + base_uri: + required: true + cx_tenant: + required: true + cx_client_id: + required: true + cx_client_secret: + required: true + +jobs: + build: + name: Binary preparation + runs-on: ubuntu-24.04 + outputs: + enable_analysis: ${{ steps.routing.outputs.enable_analysis }} + + steps: + - name: routing + id: routing + run: | + # Quality gate settings + ENABLE_QG="true" + if [[ "${{ vars.CHECKMARX_QUALITY_GATE }}" != "true" ]]; then + # disabling all QG in case of incident with the service + ENABLE_QG="false" + echo "Skipping analysis. Caused by QG override" + elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.user.id }}" == "49699333" ]]; then + # disabling the QG in case of pull request opened by dependabot bot + # As dependabot will ne be able to access GH secrets + ENABLE_QG="false" + echo "Skipping analysis. Caused by dependabot PR" + fi + echo "enable_analysis=$ENABLE_QG" >> $GITHUB_OUTPUT + cat $GITHUB_OUTPUT + + pipeline-scan: + needs: [build] + name: Run a pipeline scan + runs-on: ubuntu-24.04 + if: needs.build.outputs.enable_analysis == 'true' + + steps: + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Checkmarx One CLI Action + uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # v.2.3.19 + with: + project_name: ${{ inputs.module_name }} + base_uri: ${{ secrets.base_uri }} + cx_tenant: ${{ secrets.cx_tenant }} + cx_client_id: ${{ secrets.cx_client_id }} + cx_client_secret: ${{ secrets.cx_client_secret }} + source_dir: "./" + additional_params: --file-filter "!**/.githooks/**" --scan-types "sast,sca,api-security" diff --git a/.github/workflows/plugins-analysis.yml b/.github/workflows/plugins-analysis.yml new file mode 100644 index 000000000..aa4e3d58f --- /dev/null +++ b/.github/workflows/plugins-analysis.yml @@ -0,0 +1,41 @@ +name: plugins-analysis + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +on: + workflow_dispatch: + schedule: + - cron: '30 0 * * 1-5' + pull_request: + branches: + - develop + - master + push: + branches: + - develop + - master + +jobs: + get-environment: + uses: ./.github/workflows/get-environment.yml + + checkmarx-analysis: + needs: [get-environment] + if: | + needs.get-environment.outputs.skip_workflow == 'false' && + github.event.pull_request.draft != 'true' + uses: ./.github/workflows/checkmarx-analysis.yml + with: + module_name: centreon-plugins + secrets: + base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} + cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} + cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} + cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} + + set-skip-label: + needs: [get-environment, checkmarx-analysis] + if: needs.get-environment.outputs.skip_workflow == 'false' + uses: ./.github/workflows/set-pull-request-skip-label.yml