chore(deps): bump the benthos group across 1 directory with 2 updates #491
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| contents: read | |
| actions: read | |
| checks: read | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| name: Security | |
| jobs: | |
| secret-scanning: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| if: (github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]') | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - uses: Kong/public-shared-actions/security-actions/secret-scan@f558223899ff2ad616f6c6944d3341ad85318055 # 1.1.1 | |
| name: Running Secret Scan using Trufflehog | |
| with: | |
| fail_on_findings: 'true' | |
| sca: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| issues: read | |
| checks: write | |
| pull-requests: write | |
| name: Repository Scan | |
| if: (github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]') | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Scan Repository | |
| id: sca_repo | |
| uses: Kong/public-shared-actions/security-actions/sca@f558223899ff2ad616f6c6944d3341ad85318055 # 6.0.0 | |
| with: | |
| asset_prefix: openmeter-cloud | |
| dir: "." | |
| config: .syft.yaml | |
| fail_build: "true" | |
| semgrep: | |
| name: SAST (semgrep) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| if: (github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]') | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| # Required by semgrep | |
| persist-credentials: true | |
| - uses: Kong/public-shared-actions/security-actions/semgrep@f558223899ff2ad616f6c6944d3341ad85318055 # v5.0.1 | |
| with: | |
| fail_on_findings: "true" | |
| # Let's ignore any rules that are not relevant from the OpenMeter code point of view (later on we can remove these if needed) | |
| # Why: | |
| # - generic.secrets.security.detected-generic-secret.detected-generic-secret: ticket: Kong/[OM-52] | |
| # - generic.secrets.security.detected-jwt-token.detected-jwt-token: ticket: Kong/[OM-52] | |
| # - python.lang.security.audit.eval-detected.eval-detected: python API generated code, seems safe | |
| # - go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter: bad rule, we are using json data to be fed into the response writer | |
| # | |
| # Others: | |
| # - infra hardening is not in scope for now (ticket: Kong/[OM-53]) | |
| additional_config: | | |
| --exclude-rule=generic.secrets.security.detected-generic-secret.detected-generic-secret \ | |
| --exclude-rule=generic.secrets.security.detected-jwt-token.detected-jwt-token \ | |
| --exclude-rule=yaml.docker-compose.security.no-new-privileges.no-new-privileges \ | |
| --exclude-rule=yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service \ | |
| --exclude-rule=yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext \ | |
| --exclude-rule=yaml.kubernetes.security.run-as-non-root.run-as-non-root \ | |
| --exclude-rule=dockerfile.security.missing-user-entrypoint.missing-user-entrypoint \ | |
| --exclude-rule=dockerfile.security.missing-user.missing-user \ | |
| --exclude-rule=generic.secrets.security.detected-generic-api-key.detected-generic-api-key \ | |
| --exclude-rule=python.lang.security.audit.eval-detected.eval-detected \ | |
| --exclude-rule=go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter | |
| scan-gh-workflows: | |
| name: Scan GitHub Workflows | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Scan GitHub Workflows | |
| id: scan_gh_workflows | |
| uses: Kong/public-shared-actions/security-actions/scan-gh-workflows@f558223899ff2ad616f6c6944d3341ad85318055 # 5.0.2 | |
| with: | |
| fail_on_findings: "true" | |
| github_token: ${{ secrets.GITHUB_TOKEN }} |