Merge branch 'main' into phantsure/pages-validate

.github/workflows/auto-assign-issues.yml

@@ -9,7 +9,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: 'Auto-assign issue'
-              uses: pozil/[email protected].0
+              uses: pozil/[email protected].1
               with:
                   assignees: phantsure,tiwarishub,anuragc617,vsvipul,bishal-pdmsft
                   numOfAssignee: 1

.github/workflows/stale.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/stale@v5
+    - uses: actions/stale@v6
       with:
         stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
         stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'

.github/workflows/sync-ghes.yaml

@@ -2,8 +2,7 @@ name: Sync workflows for GHES
 
 on:
   push:
-    branches: [ $default-branch ]
-  workflow_dispatch:
+    branches: [ main ]
 
 jobs:
   sync:

ci/docker-publish.yml

@@ -41,9 +41,9 @@ jobs:
       # https://github.com/sigstore/cosign-installer
       - name: Install cosign
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@7e0881f8fe90b25e305bbf0309761e9314607e25
+        uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
         with:
-          cosign-release: 'v1.9.0'
+          cosign-release: 'v1.11.0'
 
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
@@ -78,6 +78,9 @@ jobs:
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker

ci/dotnet-desktop.yml

@@ -69,7 +69,7 @@ jobs:
 
     # Install the .NET Core workload
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
 

ci/dotnet.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
     - uses: actions/checkout@v3
     - name: Setup .NET
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
     - name: Restore dependencies

code-scanning/anchore.yml

@@ -9,7 +9,7 @@
 # and parameters, see https://github.com/anchore/scan-action. For more
 # information on Anchore's container image scanning tool Grype, see
 # https://github.com/anchore/grype
-name: Anchore Container Scan
+name: Anchore Grype vulnerability scan
 
 on:
   push:
@@ -28,20 +28,21 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout the code
+    - name: Check out the code
       uses: actions/checkout@v3
     - name: Build the Docker image
       run: docker build . --file Dockerfile --tag localbuild/testimage:latest
-    - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
-      uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
+    - name: Run the Anchore Grype scan action
+      uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
+      id: scan
       with:
         image: "localbuild/testimage:latest"
-        acs-report-enable: true
-        fail-build: false
-    - name: Upload Anchore Scan Report
+        fail-build: true
+        severity-cutoff: critical
+    - name: Upload vulnerability report
       uses: github/codeql-action/upload-sarif@v2
       with:
-        sarif_file: results.sarif
+        sarif_file: ${{ steps.scan.outputs.sarif }}

code-scanning/frogbot-scan-and-fix.yml

@@ -37,7 +37,7 @@ jobs:
       #      node-version: "16.x"
 
 
-      - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
+      - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
         env:
           # [Mandatory]
           # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)

code-scanning/frogbot-scan-pr.yml

@@ -42,7 +42,7 @@ jobs:
 
       # The full template list with the required GitHub Actions can be found at https://github.com/jfrog/frogbot/tree/master/templates/github-actions/scan-pull-request
 
-      - uses: jfrog/frogbot@34759934930c177bdefba6ca3a417589d4db6cab
+      - uses: jfrog/frogbot@9304d3b1d8e05a1b5fc0ba9ebf9ffbd495386250
         env:
           # [Mandatory]
           # JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)

code-scanning/nowsecure-mobile-sbom.yml

@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
+#
+# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
+# you can find it in NowSecure Platform.
+#
+# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
+# <https://bit.ly/ns-git-sbom>.
+#
+# Instructions:
+#
+# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
+#    paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
+#    NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
+#
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+#    and review the "Dependency graph" tab in the "Insights" pane once the action has run.
+
+name: "NowSecure Mobile SBOM"
+
+on:
+  push:
+    branches: [ $default-branch, $protected-branches ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ $default-branch ]
+  schedule:
+    - cron: $cron-weekly
+
+permissions:
+  contents: read
+
+jobs:
+  nowsecure:
+    name: NowSecure Mobile SBOM
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build your application
+        run: ./gradlew assembleDebug              # Update this to build your Android or iOS application
+
+      - name: NowSecure upload app
+        uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
+        with:
+          token: ${{ secrets.NS_TOKEN }}
+          app_file: app-debug.apk                 # Update this to a path to your .ipa or .apk
+          group_id: {{ groupId }}                 # Update this to your desired Platform group ID

code-scanning/properties/anchore-syft.properties.json

@@ -1,6 +1,6 @@
 {
     "name": "Anchore Syft SBOM Scan",
-    "organization": "Anchore",
+    "creator": "Anchore",
     "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.",
     "iconName": "anchore",
     "categories": ["Code Scanning", "dockerfile", "dependency-management"]

code-scanning/properties/anchore.properties.json

@@ -1,7 +1,7 @@
 {
-    "name": "Anchore Container Scan",
-    "creator": "Indeni Cloudrail",
-    "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.",
+    "name": "Anchore Grype Vulnerability Scan",
+    "creator": "Anchore",
+    "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.",
     "iconName": "anchore",
     "categories": ["Code Scanning", "dockerfile"]
-}
+}

code-scanning/properties/codeql.properties.json

@@ -1,6 +1,7 @@
 {
     "name": "CodeQL Analysis",
     "creator": "GitHub",
+    "enterprise": true,
     "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, and Ruby developers.",
     "iconName": "octicon mark-github",
     "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby"]

code-scanning/properties/eslint.properties.json

@@ -2,10 +2,11 @@
     "name": "ESLint",
     "description": "A tool for identifying and reporting the problems found in ECMAScript/JavaScript code.",
     "iconName": "eslint",
+    "enterprise": false,
     "categories": [
         "Code Scanning",
         "JavaScript",
         "EcmaScript",
         "TypeScript"
     ]
-}
+}

code-scanning/properties/nowsecure-mobile-sbom.properties.json

@@ -0,0 +1,21 @@
+{
+    "name": "NowSecure Mobile SBOM",
+    "creator": "NowSecure",
+    "description": "Generate a Mobile SBOM for an application and submit to Dependency Graph",
+    "iconName": "nowsecure",
+    "categories": [
+        "Code Scanning",
+        "Java",
+        "Kotlin",
+        "Scala",
+        "Swift",
+        "Objective C",
+        "C",
+        "C++",
+        "C#",
+        "Rust",
+        "JavaScript",
+        "TypeScript",
+        "Node"
+    ]
+}

code-scanning/properties/zscaler-iac-scan.properties.json

@@ -0,0 +1,7 @@
+{
+  "name": "Zscaler IaC Scan",
+  "creator": "Zscaler CWP",
+  "description": "Scan your Infrastructure as Code files using Zscaler Infrastructure as Code (IaC) Scan app",
+  "iconName": "zscaler",
+  "categories": ["Code Scanning"]
+}

code-scanning/properties/zscan.properties.json

@@ -0,0 +1,14 @@
+{
+    "name": "zScan",
+    "creator": "Zimperium",
+    "description": "The zimperium-zscan GitHub action scans your mobile app binary (iOS or Android) and identifies security, privacy, and compliance-related vulnerabilities. ​",
+    "iconName": "zscan",
+    "categories": [
+        "Code Scanning",
+        "Java",
+        "Kotlin",
+        "Scala",
+        "Swift",
+        "Objective C"
+    ]
+}

code-scanning/scorecards.yml

@@ -22,7 +22,7 @@ jobs:
       # Needs for private repositories.
       contents: read
       actions: read
-    
+
     steps:
       - name: "Checkout code"
         uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
@@ -41,8 +41,8 @@ jobs:
           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results. 
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
           # of the value entered here.
           publish_results: true
 
@@ -54,7 +54,7 @@ jobs:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-      
+
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
         uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26

code-scanning/soos-dast-scan.yml

@@ -3,13 +3,18 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 #
-# SOOS is the easy-to-integrate software security solution for your whole team, learn more at https://soos.io/
+# SOOS is the easy-to-integrate and affordable software security solution for your whole team.
+# Learn more at https://soos.io/
 #
-# To use this action you need to fill the following requirements:
+# To use this action, perform the following steps:
 #
-# 1.  Create an account on https://app.soos.io to obtain a Client ID and API Key (Free 30 days trials for both our SCA/DAST product).
+# 1.  Create an account on https://app.soos.io. SOOS offers a free 30 day trial for our SCA and DAST products.
 #
-# 2.  Set up your API KEY/Client ID as Github Secrets named SOOS_CLIENT_ID & SOOS_API_KEY. (Also set SOOS_GITHUB_PAT with your Github Personal Access Token if you're going to use sarif upload)
+# 2.  Navigate to the "Integrate" page in the SOOS app (https://app.soos.io/integrate). Note the "API Credentials" section of this page; the keys you will need for the next step are here.
+#
+# 3. Set up your SOOS API Key and SOOS Client Id as Github Secrets named SOOS_API_KEY and SOOS_CLIENT_ID. 
+#
+# 4. (Optional) If you'd like to upload SARIF results of DAST scans to GitHub, set SOOS_GITHUB_PAT with your Github Personal Access Token.
 #
 
 name: "SOOS DAST Scan"

code-scanning/zscaler-iac-scan.yml

@@ -0,0 +1,56 @@
+#This workflow uses actions that are not certified by GitHub.
+#They are provided by a third party and are governed by
+#separate terms of service, privacy policy, and support
+#documentation.
+
+#This workflow runs the Zscaler Infrastructure as Code (IaC) Scan app,
+#which detects security misconfigurations in IaC templates and publishes the findings
+#under the code scanning alerts section within the repository.
+
+#Log into the Zscaler Workload Posture (ZWP) Admin Portal to begin the onboarding process.
+#Copy the client ID and client secret key generated during the onboarding process and configure.
+#GitHub secrets (ZSCANNER_CLIENT_ID, ZSCANNER_CLIENT_SECRET).
+
+#Refer https://github.com/marketplace/actions/zscaler-iac-scan for additional details on setting up this workflow.
+#Any issues with this workflow, please raise it on https://github.com/ZscalerCWP/Zscaler-IaC-Action/issues for further investigation.
+
+name: Zscaler IaC Scan
+on:
+  push:
+    branches: [ $default-branch, $protected-branches ]
+  pull_request:
+    branches: [ $default-branch ]
+  schedule:
+    - cron: $cron-weekly
+
+permissions:
+  contents: read
+
+jobs:
+  zscaler-iac-scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - name : Code Checkout
+        uses: actions/checkout@v3
+      - name : Zscaler IAC Scan
+        uses : ZscalerCWP/Zscaler-IaC-Action@8f0d8b60bd5a8f44062d444463f66f419ab71cfc
+        id : zscaler-iac-scan
+        with:
+          client_id : ${{ secrets.ZSCANNER_CLIENT_ID }}
+          client_secret : ${{ secrets.ZSCANNER_CLIENT_SECRET }}
+          #This is the user region specified during the onboarding process within the ZWP Admin Portal.
+          region : 'US'
+          iac_dir : #Enter the IaC directory path from root.
+          iac_file : #Enter the IaC file path from root.
+          output_format : #(Optional) By default, the output is provided in a human readable format. However, if you require a different format, you can specify it here.
+          #To fail the build based on policy violations identified in the IaC templates, set the input value (fail_build) to true.
+          fail_build : #Enter true/false
+      #Ensure that the following step is included in order to post the scan results under the code scanning alerts section within the repository.
+      - name: Upload SARIF file
+        if: ${{ success() || failure() && (steps.zscaler-iac-scan.outputs.sarif_file_path != '') }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.zscaler-iac-scan.sarif_file_path }}