Apply latest template patterns (#302)

* Apply latest template patterns * Remove unused branches for scanner Aha yes, and this was the copy from the template. Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --------- Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
bitwarden · Sep 4, 2024 · 296fcd5 · 296fcd5
1 parent 04cb525
commit 296fcd5
Show file tree

Hide file tree

Showing 5 changed files with 750 additions and 891 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -2,27 +2,10 @@
 
 <!-- Paste the link to the Jira or GitHub issue or otherwise describe / point to where this change is coming from. -->
 
-## 🚧 Type of change
-
-<!-- Choose those applicable and remove the others. -->
-
--   🐛 Bug fix
--   🚀 New feature development
--   🧹 Tech debt (refactoring, code cleanup, dependency upgrades, etc.)
--   🤖 Build/deploy pipeline (DevOps)
--   🎂 Other
-
 ## 📔 Objective
 
 <!-- Describe what the purpose of this PR is, for example what bug you're fixing or new feature you're adding. -->
 
-## 📋 Code changes
-
-<!-- Explain the changes you've made to each file or major component. This should help the reviewer understand your changes. -->
-<!-- Also refer to any related changes or PRs in other repositories. -->
-
--   **file.ext:** Description of what was changed and why.
-
 ## 📸 Screenshots
 
 <!-- Required for any UI changes; delete if not applicable. Use fixed width images for better display. -->
@@ -32,10 +15,11 @@
 -   Contributor guidelines followed
 -   All formatters and local linters executed and passed
 -   Written new unit and / or integration tests where applicable
+-   Protected functional changes with optionality (feature flags)
 -   Used internationalization (i18n) for all UI strings
 -   CI builds passed
 -   Communicated to DevOps any deployment requirements
--   Updated any necessary documentation or informed the documentation team
+-   Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team
 
 ## 🦮 Reviewer guidelines
 

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -0,0 +1,74 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+  pull_request_target:
+    types: [opened, synchronize]
+
+jobs:
+  check-run:
+    name: Check PR run
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd # 2.0.33
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        with:
+          fetch-depth: 0
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@e44258b109568baa0df60ed515909fc6c72cba92 # v2.3.0
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}