From 77c7b1e3c77be2279e729d0672a770ec4412752e Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 11:51:16 +0630 Subject: [PATCH 1/7] Create KT --- KT | 1 + 1 file changed, 1 insertion(+) create mode 100644 KT diff --git a/KT b/KT new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/KT @@ -0,0 +1 @@ + From a31ef1e53fa1d45628e2edd5c7c228638a3fd1d5 Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:12:12 +0630 Subject: [PATCH 2/7] Create .github/workflows/python-app.yml --- .github/workflows/python-app.yml | 39 ++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/python-app.yml diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml new file mode 100644 index 0000000..f3d4fca --- /dev/null +++ b/.github/workflows/python-app.yml @@ -0,0 +1,39 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python + +name: Python application + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.10 + uses: actions/setup-python@v3 + with: + python-version: "3.10" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install flake8 pytest + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: Lint with flake8 + run: | + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + pytest From a50a854bf12c0628e8d0c5f492979d9754ad3d4a Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:21:44 +0630 Subject: [PATCH 3/7] Create .github/workflows/manual.yml --- .github/workflows/manual.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/manual.yml diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml new file mode 100644 index 0000000..47f24e1 --- /dev/null +++ b/.github/workflows/manual.yml @@ -0,0 +1,30 @@ +# This is a basic workflow that is manually triggered + +name: Manual workflow + +# Controls when the action will run. Workflow runs when manually triggered using the UI +# or API. +on: + workflow_dispatch: + # Inputs the workflow accepts. + inputs: + name: + # Friendly description to be shown in the UI instead of 'name' + description: 'Person to greet' + # Default value if no value is explicitly provided + default: 'World' + # Input has to be provided for the workflow to run + required: true + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "greet" + greet: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Runs a single command using the runners shell + - name: Send greeting + run: echo "Hello ${{ github.event.inputs.name }}" From f873348dec5523533fdea1f270a234bd9ed2fce7 Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:26:01 +0630 Subject: [PATCH 4/7] Create .github/workflows/static.yml --- .github/workflows/static.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/static.yml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml new file mode 100644 index 0000000..2bd90b5 --- /dev/null +++ b/.github/workflows/static.yml @@ -0,0 +1,43 @@ +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Setup Pages + uses: actions/configure-pages@v3 + - name: Upload artifact + uses: actions/upload-pages-artifact@v1 + with: + # Upload entire repository + path: '.' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v2 From e38525e7f8779fc4dc65362f9fe7f5e8e968e46b Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:30:09 +0630 Subject: [PATCH 5/7] Create .github/workflows/fortify.yml --- .github/workflows/fortify.yml | 98 +++++++++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/fortify.yml diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml new file mode 100644 index 0000000..fb07ec0 --- /dev/null +++ b/.github/workflows/fortify.yml @@ -0,0 +1,98 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ "main" ] + schedule: + - cron: '45 3 * * 0' + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v3 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v3 + with: + java-version: 8 + distribution: 'temurin' + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./gh-fortify-sast.sarif From 7fda4d05ad2523e457b4a21b05ea91ac51bff579 Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:33:14 +0630 Subject: [PATCH 6/7] Create .github/workflows/azure-webapps-python.yml --- .github/workflows/azure-webapps-python.yml | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/azure-webapps-python.yml diff --git a/.github/workflows/azure-webapps-python.yml b/.github/workflows/azure-webapps-python.yml new file mode 100644 index 0000000..e326910 --- /dev/null +++ b/.github/workflows/azure-webapps-python.yml @@ -0,0 +1,86 @@ +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Python version + uses: actions/setup-python@v3.0.0 + with: + python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v3 + with: + name: python-app + path: | + . + !venv/ + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} From f3bc52b1e3e4e171c4b9a2010a2ffd6a6f0a660b Mon Sep 17 00:00:00 2001 From: Bobyxoesar <130211469+kyawthet13982@users.noreply.github.com> Date: Sun, 9 Apr 2023 12:35:55 +0630 Subject: [PATCH 7/7] Create .github/workflows/python-package-conda.yml --- .github/workflows/python-package-conda.yml | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/python-package-conda.yml diff --git a/.github/workflows/python-package-conda.yml b/.github/workflows/python-package-conda.yml new file mode 100644 index 0000000..384f9b7 --- /dev/null +++ b/.github/workflows/python-package-conda.yml @@ -0,0 +1,34 @@ +name: Python Package using Conda + +on: [push] + +jobs: + build-linux: + runs-on: ubuntu-latest + strategy: + max-parallel: 5 + + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.10 + uses: actions/setup-python@v3 + with: + python-version: '3.10' + - name: Add conda to system path + run: | + # $CONDA is an environment variable pointing to the root of the miniconda directory + echo $CONDA/bin >> $GITHUB_PATH + - name: Install dependencies + run: | + conda env update --file environment.yml --name base + - name: Lint with flake8 + run: | + conda install flake8 + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + conda install pytest + pytest