Description

I am trying to define an allow list of licenses but using * under conditions isn't giving the desired result.

Propose Solution

if I do the below the ignores are not actually ignoring anything as I am still

licensing:
  # The four main rules types to do everything you need to do for all things
  #  compliance

  # Warnings will always occur if the rule applies and continues executing to
  #  other rules.
  warnings:
    ids:
      - other
      - na

  # Ignores are run next so if an ignored rule is hit that matches the level,
  #  it will be skipped
  ignores:
    ids:
      - apache license 2.0
      - bsd 3-clause "new" or "revised" license
      - mit license

  # Conditions will only trigger and raise an error when an exact match is hit
  conditions:
    # note using 'names' here instead of `ids` has the same result
    ids:
      - "*"

Describe the bug Running this action on our workflow we get an error we can't understand.

To Reproduce Steps to reproduce the behavior:

1. Add action "build-and-test.yaml" to workflow
2. With the following code: " advancesecurityComplience: runs-on: ubuntu-latest name: Advanced Security Complience steps:
   • name: Advance Security Compliance Action uses: GeekMasher/[email protected] "
3. See error

Dependabot Results Error: {"data": {"repository": {"vulnerabilityAlerts": null}}, "errors": [{"type": "FORBIDDEN", "path": ["repository", "vulnerabilityAlerts"], "extensions": {"saml_failure": false}, "locations": [{"line": 3, "column": 9}], "message": "Resource not accessible by integration"}]} Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance Error: Query failed to run

Expected behavior Dependabot to block the PR if finds a critical or high risk vulnerability.

As stated in issue #50, the custom policy clone using GitHub App API token is not possible as x-access-tokenusername need to be set in the https clone link.

I've added an optionnal argument --is-github-app-token to specify if the authentication token is a GitHub App API token, and set the x-access-token username needed to clone the policy.

I've also added the branch argument to Policy()call, as it was actually never used.

Describe the bug The Dependabot scan fails with the default policy. The repository does not have any open dependabot alerts, is that why?

To Reproduce Steps to reproduce the behavior:

1. Run the default action configuration

jobs:
  compliance:
    name: Compliance
    runs-on: ubuntu-latest
    steps:
    - name: Advanced Security Compliance Action
      uses: GeekMasher/[email protected]

Expected behavior Dependabot violations should be 0.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context The compliance job is run as a reusable workflow from another repository.

Describe the bug Action parameter policy-branch is not working as intended. No matter what value is set, it seems to be always using the default branch.

To Reproduce Setup action with the following params:

security-compliance:
    runs-on: ubuntu-latest
    needs:
      - codeql
    steps:
      - name: Advance Security Compliance Action
        uses: GeekMasher/[email protected]
        with:
          token: ${{ secrets.GITHUB_PERSONAL_TOKEN }}
          policy: myTestRepo/github-actions
          policy-path: security/policies/default.yml
          policy-branch: security

Expected behavior Action should checkout the branch defined policy-branch

Screenshots

Desktop (please complete the following information): N/A

Smartphone (please complete the following information): N/A

Additional context none

Description

Limitation identified using Code Scanning and Secret Scanning checks, they are only supported on the default branch. We had hoped these checks could be performed on branch pushes and PRs to catch alerts before they are propagated to the default branch but that functionality does not seem to be supported.

Propose Solution

Working with this action we like what we see. We are very interested in this concept and the ability to push security checks farther left in the development process. Proposed solution is to modify this action to work on any branch, not just the default branch, so checks catch alerts on branch pushes and PRs before they are propagated to the default branch.

Describe the bug We have updated to the v1.6.3.
This newer version gives the following error "message": "Field 'dependencyGraphManifests' doesn't exist on type 'Repository'"

We used the following command line options to disable licensing ( --disable-dependency-licensing --disable-dependencies) and got the same error.

We grabbed the GraphQL GRAPHQL_DEPENDENCY_INFO from dependency.py and got the same error calling the GraphQL API directly.

We compared the GitHub Cloud API (https://docs.github.com/en/graphql/overview/schema-previews) with the GitHut Enterprise API (https://docs.github.com/en/[email protected]/graphql/overview/schema-previews).

GitHub Cloud API has a section called 'Access to a repositories dependency graph preview'. GitHub Enterprise API does NOT have this section.

Are we correct in assuming this functionality has not been released for GitHub Enterprise yet?

Is this functionality required for dependabot policy functionality? If it is, which GitHub Enterprise version will support 'Access to a repositories dependency graph preview'?

To Reproduce Steps to reproduce the behavior:

1. Run action with dependabot enabled on GitHub Enterprise @3.6.2

Expected behavior Dependabot policy functionality works as it already does on GitHub Cloud

Description

We need some introductional docs on how to setup and use this Action using a GitHub App.

Related:

• #50
  • #51

+cc @4bg0P

Propose Solution

• [ ] New Document
• [ ] Reasoning for using GitHub App versus a PAT
• [ ] Full example workflow
  • Using peter-murray/workflow-application-token-action?

Dependabot sometimes fails to get the license information as it is not well documented in a repository for example:

• https://github.com/pugjs/pug
• https://github.com/jrburke/amdefine

The idea would be to:

• each time we do a test and the licence is unknown:
  • log an issue/contribution in the source repository to allow Dependabot to recognize the license
  • add an entry in a this Action project that will be the list of project/url without license
  • use the information in the policy management with clear information about the fact that it is coming from local scann

Description

As a noob I find confusing the term "conditions" because I don't know if it is a condition to fail or to pass.

Propose Solution

Instead of "ignore" and "conditions", can we find something that clearly states what will happen like allow/disallow or similar? I understand this will cause a compatibility issue with existing license policies, but you could warn that there will be a breaking change during a time window to allow everyone to change it.

@romanoroth, @Padi-owasp

Describe the bug The change to support GitHub enterprise missed changing dependabot.py. It is still using direct GitHub cloud reference: instance = "https://api.github.com/graphql"

To Reproduce Steps to reproduce the behavior:

1. Code inspection dependabot.py Line 80 - instance = "https://api.github.com/graphql"

Expected behavior Dependabot should use the GitHub enterprise URL and not the GitHub Cloud URL

This change was missed with the merge (https://github.com/GeekMasher/advanced-security-compliance/pull/31) that added support for GitHub Enterprise.

This repository has been moved to a new policy-as-code repository.

Please migrate all workflows to using the new repository as this repository is no longer receiving updates.