sentenz / devops Goto Github PK

grype is a vulnerability scanner for container images and filesystems.

Copy/paste is a common technical debt on a lot of projects. The jscpd gives the ability to find duplicated blocks implemented on more than 150 programming languages and digital formats of documents. The jscpd tool implements Rabin-Karp algorithm for searching duplications.

The execution of the installation command npm install -g markdownlint-cli fails because the required node version is not supported by the development environment.

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=14' },
npm WARN EBADENGINE   current: { node: 'v12.22.9', npm: '8.5.1' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=14.18.0' },
npm WARN EBADENGINE   current: { node: 'v12.22.9', npm: '8.5.1' }
npm WARN EBADENGINE }

Semgrep is a fast, open-source, static analysis engine for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards.

dotenv-linterdotenv-linter can check / fix / compare .env files for problems that may cause the application to malfunction.

Fix Ubuntu version by updating from hirsute to jammy.

Modify codname version of ubuntu focal to hirsute in the containers.

Secretlint is that Pluggable linting tool to prevent committing credential.

NOTE Test if the hack can be detected.

On protected branch with PR requirement prevents release with semantic-release.

See issue 175

The feature option in devcontainer.json does not work with make.

Revert git hooks pre-push from commit 7f6418f.

In the continuous integration setup script, the apt packages must be run first.

Since the last pr`s the nodejs version changed from 12 to 10.

editorconfig-checker is a tool to verify that your files are in harmony with your .editorconfig.

• hooks pre-commit

• git hook pre-rebase.sample

# The "pre-rebase" hook is run just before "git rebase" starts doing its job, and can prevent the command from running by exiting with non-zero status. 
 # 
 # Arguments: 
 # 
 # $1 - the upstream the series was forked from
 # $2 - the branch being rebased (or empty when rebasing the current branch)
 # 
 # This sample shows how to prevent topic branches that are already 
 # merged to 'next' branch from getting rebased, because allowing it 
 # would result in rebasing already published history.

Modify relative path of the service, e.g.:

From:

setup-devops: ## Setup dependencies and tools for the devops service 
         cd scripts && chmod +x setup.sh && ./setup.sh 
 .PHONY: setup-devops

To:

setup-devops: ## Setup dependencies and tools for the devops service 
         cd tools/devops/scripts && chmod +x setup.sh && ./setup.sh 
 .PHONY: setup-devops

Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos.

Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for security issues, and targets where it can find those issues.

Targets (what Trivy can scan):

• Container Image
• Filesystem
• Git Repository (remote)
• Virtual Machine Image
• Kubernetes
• AWS

Scanners (what Trivy can find there):

• OS packages and software dependencies in use (SBOM)
• Known vulnerabilities (CVEs)
• IaC issues and misconfigurations
• Sensitive information and secrets
• Software licenses

NOTE Test if the hack can be detected.

• Dev Container metadata reference

The dependency checker finds an npm install of the mounted windows at /mnt/../.

Add missing npm dependency in setup scripts.

In semantic-release v20 node v18 is now the minimum required version!

v20.0.0

BREAKING CHANGES

• esm: semantic-release is now ESM-only. since it is used through its own executable, the impact on consuming projects should be minimal
• esm: references to plugin files in configs need to include the file extension because of executing in an ESM context
• node-versions: node v18 is now the minimum required version of node. this is in line with our node support policy. please see our recommendations for releasing with a different node version than your project normally uses, if necessary.

syft is a CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

Google sanitizers to detect address sanitizer, memory sanitizer, thread sanitizer, or leak sanitizer.

If the target file does not exist the merg_file function does not create the file and merge the content.

• Microsoft continuous monitoring pipeline file.

OSV-Scanner is a vulnerability scanner which uses the data provided by osv