Merge PR #168 #352
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| # | |
| # Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ | |
| # | |
| # To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. | |
| # | |
| # Instructions: | |
| # 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository | |
| # and review the "Security" tab once the action has run. | |
| # This GitHub Actions workflow is named "Sobelow" and is triggered on push and pull request events to the "main" branch, | |
| # as well as on a scheduled cron job every Friday at 22:25 UTC. | |
| # | |
| # The workflow has read permissions for repository contents. | |
| # | |
| # The "security-scan" job within the workflow has the following permissions: | |
| # - Write access to contents for actions/checkout to fetch code. | |
| # - Write access to security events for github/codeql-action/upload-sarif to upload SARIF results. | |
| # - Read access to actions, required only for private repositories by github/codeql-action/upload-sarif to get the Action run status. | |
| # | |
| # The job runs on the latest Ubuntu runner and includes the following steps: | |
| # 1. Harden Runner: Uses the step-security/harden-runner action to enhance security by disabling sudo, blocking egress traffic, | |
| # and allowing specific endpoints. | |
| # 2. Checkout Code: Uses the actions/checkout action to fetch the repository code. | |
| # 3. Run Sobelow Action: Uses the sobelow/action to perform a security scan. | |
| name: Sobelow | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| branches: ["main"] | |
| schedule: | |
| - cron: "25 22 * * 5" | |
| permissions: | |
| contents: read | |
| jobs: | |
| security-scan: | |
| permissions: | |
| contents: write # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 | |
| with: | |
| disable-sudo: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| builds.hex.pm:443 | |
| github.com:443 | |
| repo.hex.pm:443 | |
| sobelow.io:443 | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - id: run-action | |
| uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 |