Skip to content

Trigger Build #73

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 17, 2025
Merged

Trigger Build #73

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
020ae88
Trigger Build
confusedcrib Jan 17, 2025
5f75b7b
update amplify
confusedcrib Jan 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 15 additions & 21 deletions .github/workflows/amplify.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,28 +1,22 @@
# .github/workflows/amplify.yml
name: Amplify Security # do not modify this line
---
name: Amplify Security
on:
pull_request: {} # run for all PRs
workflow_dispatch: {} # allow manual runs through GitHub UI
pull_request: {}
workflow_dispatch: {}
push:
branches: ["master", "main"] # add additional iteration or release branch patterns here
branches: ["master", "main"]

permissions:
contents: read # declare default permissions for GITHUB_TOKEN
contents: read
id-token: write

jobs:
amplify-security-scan:
name: Amplify Security Scan
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
if: (github.actor != 'dependabot[bot]')
if: (!github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]')
steps:
- uses: actions/checkout@v3
- run: semgrep ci --config auto --json > amplify-sast.json || true
env:
SEMGREP_RULES: >-
p/security-audit
p/secrets
# do not modify this step
- uses: actions/upload-artifact@v3
with:
name: amplify-scan
path: amplify-sast.json
retention-days: 7
- name: Checkout
uses: actions/checkout@v4
Copy link

@arnica-github-connector arnica-github-connector bot Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Static Code Analysis Risk: Software and Data Integrity Failures - GitHub actions artipacked vulnerability

Detected local filesystem git credential storage on GitHub Actions, as well as potential avenues for unintentional persistence of credentials in artifacts. By default, using actions/checkout causes a credential to be persisted in the checked-out repo's .git/config, so that subsequent git operations can be authenticated. Subsequent steps may accidentally publicly persist .git/config, e.g. by including it in a publicly accessible artifact via actions/upload-artifact. However, even without this, persisting the credential in the .git/config is non-ideal unless actually needed. To fix, add persist-credentials: false inside a with section in this step.

Severity: Medium ⚠️
Status: Open 🔴

References:

  1. https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens/

Suggested reviewers 🧐: @confusedcrib

Take action by replying with an [arnica] command 💬

Actions

Use [arnica] or [a] to interact with the Arnica bot to acknowledge or dismiss code risks.

[arnica] ack <message>

Acknowledge the finding as a valid code risk.

Examples

[arnica] ack looking into it


[a] ack triaged by the security team

[arnica] dismiss <fp|accept|capacity> <message>

Dismiss the risk with a reason.

  • fp: False positive, i.e. the result is incorrect and indicates no actual risk.

  • accept: Tolerable risk, i.e. risk severity is lower than what has been reported or is accepted as it stands.

  • capacity: No capacity, i.e. leave me alone, please.

Examples

[arnica] dismiss fp test function


[arnica] dismiss accept ChatGPT assures us that we will be just fine


[a] dismiss capacity not enough caffeine to fix it

- name: Amplify Runner
uses: amplify-security/runner-action@main
Copy link

@codacy-production codacy-production bot Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.

The issue identified by the Semgrep linter is that the GitHub action amplify-security/runner-action@main is being referenced using a branch name (main). This practice can lead to security vulnerabilities, as the contents of the branch may change over time, potentially introducing breaking changes or malicious code. To mitigate this risk, it's recommended to pin the action to a specific commit SHA, ensuring that the action will always execute the same code.

Here's a code suggestion to fix the issue by replacing @main with a specific commit SHA (you would need to replace COMMIT_SHA with the actual SHA of the commit you want to pin to):

Suggested change
uses: amplify-security/runner-action@main
uses: amplify-security/runner-action@COMMIT_SHA

This comment was generated by an experimental AI tool.

Loading