mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-25 13:44:06 -08:00
sa tooling
This commit is contained in:
parent
84aa26dd50
commit
967ee714a1
48
.github/workflows/SA-codeql.yml
vendored
Normal file
48
.github/workflows/SA-codeql.yml
vendored
Normal file
|
@ -0,0 +1,48 @@
|
|||
# For most projects, this workflow file will not need changing; you simply need
|
||||
# to commit it to your repository.
|
||||
#
|
||||
# You may wish to alter this file to override the set of languages analyzed,
|
||||
# or to provide custom queries or build logic.
|
||||
#
|
||||
# ******** NOTE ********
|
||||
# We have attempted to detect the languages in your repository. Please check
|
||||
# the `language` matrix defined below to confirm you have the correct set of
|
||||
# supported CodeQL languages.
|
||||
#
|
||||
name: CodeQL Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
# The branches below must be a subset of the branches above
|
||||
branches: [ master ]
|
||||
# schedule:
|
||||
# - cron: '15 17 * * 1'
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: CodeQL Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [ 'javascript' ]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v2
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v1
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@v1
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v1
|
32
.github/workflows/SA-phpstan.yml
vendored
Normal file
32
.github/workflows/SA-phpstan.yml
vendored
Normal file
|
@ -0,0 +1,32 @@
|
|||
name: PHPStan Security Scan
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
jobs:
|
||||
phpstan-security-scan:
|
||||
name: PHPStan Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
with:
|
||||
php-version: '8.0'
|
||||
coverage: none
|
||||
ini-values: "memory_limit=-1"
|
||||
extensions: mbstring, intl
|
||||
- name: Download deps
|
||||
run: composer update --no-interaction --no-progress
|
||||
- name: Download PHPStan
|
||||
run: composer require --dev phpstan/phpstan #:1.5.x-dev
|
||||
- name: Download Larastan v1 # (Laravel Framework 6.20.44)
|
||||
run: composer require nunomaduro/larastan:^1.0 --dev
|
||||
- name: Download mcrypt helper
|
||||
run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
|
||||
- name: Delete conflicting file
|
||||
run: rm -f database/migrations/2015_11_05_183749_image.php
|
||||
- name: Execute PHPStan
|
||||
run: vendor/bin/phpstan analyze app config routes --no-progress --error-format=github -l 5
|
57
.github/workflows/SA-psalm.yml
vendored
Normal file
57
.github/workflows/SA-psalm.yml
vendored
Normal file
|
@ -0,0 +1,57 @@
|
|||
name: Psalm Security Scan
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
jobs:
|
||||
psalm-security-scan-basic:
|
||||
name: Psalm Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
with:
|
||||
php-version: '8.0'
|
||||
coverage: none
|
||||
ini-values: "memory_limit=-1"
|
||||
extensions: mbstring, intl
|
||||
- name: Download deps
|
||||
run: composer update --no-interaction --no-progress
|
||||
- name: Install laravel-ide-helper
|
||||
run: composer require --dev barryvdh/laravel-ide-helper
|
||||
- name: Download Psalm
|
||||
run: composer require --dev vimeo/psalm
|
||||
- name: PHPDoc generation for Laravel Facades
|
||||
run: php artisan ide-helper:generate
|
||||
- name: Download mcrypt helper
|
||||
run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
|
||||
- name: Execute Psalm
|
||||
run: ./vendor/bin/psalm --long-progress --output-format=github --no-cache
|
||||
|
||||
psalm-security-scan-taint-analysis:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out repository code
|
||||
uses: actions/checkout@v2
|
||||
- name: Setup PHP
|
||||
uses: shivammathur/setup-php@v2
|
||||
with:
|
||||
php-version: '8.0'
|
||||
coverage: none
|
||||
ini-values: "memory_limit=-1"
|
||||
extensions: mbstring, intl
|
||||
- name: Download deps
|
||||
run: composer update --no-interaction --no-progress
|
||||
- name: Install laravel-ide-helper
|
||||
run: composer require --dev barryvdh/laravel-ide-helper
|
||||
- name: Download Psalm
|
||||
run: composer require --dev vimeo/psalm
|
||||
- name: Download mcrypt helper
|
||||
run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
|
||||
- name: PHPDoc generation for Laravel Facades
|
||||
run: php artisan ide-helper:generate
|
||||
- name: Execute Psalm (Taint Analysis)
|
||||
run: ./vendor/bin/psalm --long-progress --output-format=github --taint-analysis
|
29
.github/workflows/SA-semgrep.yml
vendored
Normal file
29
.github/workflows/SA-semgrep.yml
vendored
Normal file
|
@ -0,0 +1,29 @@
|
|||
name: Semgrep Security Scan
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ master ]
|
||||
pull_request:
|
||||
branches: [ master ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
semgrep-security-scan:
|
||||
name: Semgrep Security Scan
|
||||
runs-on: ubuntu-latest
|
||||
# Skip any PR created by dependabot to avoid permission issues
|
||||
if: (github.actor != 'dependabot[bot]')
|
||||
steps:
|
||||
# Fetch project source
|
||||
- uses: actions/checkout@v2
|
||||
|
||||
- uses: returntocorp/semgrep-action@v1
|
||||
with:
|
||||
config: >- # more at semgrep.dev/explore
|
||||
p/security-audit
|
||||
p/secrets
|
||||
p/phpcs-security-audit
|
||||
env:
|
||||
SEMGREP_TIMEOUT: 9900
|
9
dotenv.php
Normal file
9
dotenv.php
Normal file
|
@ -0,0 +1,9 @@
|
|||
<?php
|
||||
use Dotenv\Dotenv;
|
||||
|
||||
require __DIR__ . '/vendor/autoload.php';
|
||||
|
||||
$dotenv = Dotenv::create(dirname(__DIR__), 'snipe-it/.env.testing');
|
||||
$dotenv->load(__DIR__.'/.env');
|
||||
|
||||
?>
|
15
phpstan.neon
Normal file
15
phpstan.neon
Normal file
|
@ -0,0 +1,15 @@
|
|||
includes:
|
||||
- ./vendor/nunomaduro/larastan/extension.neon
|
||||
parameters:
|
||||
reportUnmatchedIgnoredErrors: false
|
||||
bootstrapFiles:
|
||||
- dotenv.php
|
||||
- c3.php
|
||||
- _mcrypt_helper.php
|
||||
ignoreErrors:
|
||||
- '#PHPDoc tag .#'
|
||||
excludePaths:
|
||||
- tests/*
|
||||
- vendor/*
|
||||
- database/*
|
||||
|
23
psalm.xml
Normal file
23
psalm.xml
Normal file
|
@ -0,0 +1,23 @@
|
|||
<?xml version="1.0"?>
|
||||
<psalm
|
||||
errorLevel="7"
|
||||
resolveFromConfigFile="true"
|
||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xmlns="https://getpsalm.org/schema/config"
|
||||
xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
|
||||
>
|
||||
<projectFiles>
|
||||
<directory name="app" />
|
||||
<ignoreFiles>
|
||||
<directory name="vendor" />
|
||||
<directory name="tests" />
|
||||
</ignoreFiles>
|
||||
</projectFiles>
|
||||
<stubs>
|
||||
<file name="_ide_helper.php" />
|
||||
<file name="_mcrypt_helper.php" />
|
||||
</stubs>
|
||||
<issueHandlers>
|
||||
<UndefinedDocblockClass errorLevel="suppress" />
|
||||
</issueHandlers>
|
||||
</psalm>
|
Loading…
Reference in a new issue