SAST Best Practices (#25)

Signed-off-by: NishkarshRaj <[email protected]>
stormsinbrewing · Oct 17, 2023 · 4d793ab · 4d793ab
1 parent c237967
commit 4d793ab
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 72 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/.github/workflows/super-devsecops.yml b/.github/workflows/super-devsecops.yml
@@ -8,9 +8,29 @@ permissions:
   contents: read
 
 jobs:
+  code_quality:
+    name: Eslint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+      - name: Checkout code
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: Run ESLint
+        run: |
+          yarn install
+          npx eslint .
+        continue-on-error: true
   build:
     name: Build
     runs-on: ubuntu-latest
+    needs: code_quality
     strategy:
       matrix:
         node-version: [16.x, 18.x, 20.x]
@@ -29,30 +49,10 @@ jobs:
       - name: Install Dependencies
         run: |
           yarn install
-  code_quality:
-    name: Eslint
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      contents: read
-      security-events: write
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
-        with:
-          egress-policy: audit
-      - name: Checkout code
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - name: Run ESLint
-        run: |
-          yarn install
-          npx eslint .
-        continue-on-error: true
   test:
     name: Unit Tests
     runs-on: ubuntu-latest
-    needs: code_quality
+    needs: build
     strategy:
       matrix:
         node-version: [16.x, 18.x, 20.x]
@@ -73,7 +73,38 @@ jobs:
         run: |
           yarn install
           yarn test
-  analysis:
+  sast_codeql:
+    name: SAST with CodeQL
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    needs: test
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript"]
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          category: "/language:${{matrix.language}}"
+  sast_sonar:
     name: SAST with SonarCloud
     permissions:
       pull-requests: read # allows SonarCloud to decorate PRs with analysis results
@@ -84,7 +115,6 @@ jobs:
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: Analyze with SonarCloud
         uses: SonarSource/sonarcloud-github-action@5ee47de3c96f0c1c51b09d2ff1fec0cfeefcf67c
         env:
@@ -100,13 +130,12 @@ jobs:
       # Don't make global permission: https://github.com/ossf/scorecard-action#workflow-restrictions
       security-events: write # Needed to upload the results to code-scanning dashboard.
       id-token: write # Needed to publish results and get a badge (see publish_results below).
-    needs: analysis
+    needs: test
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: "Checkout code"
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
@@ -133,7 +162,7 @@ jobs:
     permissions:
       contents: read # Restrict Source access
       packages: write # GHPR
-    runs-on: ubuntu-latest
+    runs-on: sast_codeql
     needs: security_scorecard
     env:
       REGISTRY: ghcr.io
@@ -143,7 +172,6 @@ jobs:
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: Checkout repository
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Log in to the Container registry