-
-
Notifications
You must be signed in to change notification settings - Fork 0
39 lines (34 loc) · 1.18 KB
/
devskim.yml
File metadata and controls
39 lines (34 loc) · 1.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
name: DevSkim
on:
push:
branches: [ "main", "DSSRF_Branch_Rule" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '0 0 * * *' # FIX: Running every minute is a security/resource risk; changed to daily.
# SCORECARD & SOLARWINDS FIX:
# This defines top-level permissions as read-only for the entire workflow.
permissions: read-all
jobs:
lint:
name: DevSkim
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
# Pinned to specific SHA for immutable security
uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98
- name: Run DevSkim scanner
uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6
with:
# FIX: DevSkim needs to know where to save the results so the next step can find them.
directory-to-scan: .
output-filename: devskim-results.sarif
- name: Upload DevSkim scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@ad5a6c0147a3a8754a04fd6f7ac7c176951ec56e
with:
sarif_file: devskim-results.sarif