Create dependabot.yml #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Compliance | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| jobs: | |
| check-quality: | |
| runs-on: ubuntu-latest | |
| name: Datadog Static Analyzer | |
| env: | |
| DD_API_KEY: ${{ secrets.DD_API_KEY }} | |
| DD_APP_KEY: ${{ secrets.DD_APP_KEY }} | |
| DD_SERVICE: python-api-client | |
| DD_ENV: ci | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Check code meets quality standards | |
| id: datadog-static-analysis | |
| run: | | |
| sudo apt update | |
| sudo apt install nodejs | |
| # Download Datadog static analyzer v0.6.4: | |
| # https://github.com/DataDog/datadog-static-analyzer/releases | |
| DATADOG_STATIC_ANALYZER_URL=https://github.com/DataDog/datadog-static-analyzer/releases/download/0.6.4/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip | |
| curl -L $DATADOG_STATIC_ANALYZER_URL > /tmp/ddog-static-analyzer.zip | |
| unzip /tmp/ddog-static-analyzer.zip -d /tmp | |
| sudo mv /tmp/datadog-static-analyzer /usr/local/datadog-static-analyzer | |
| # Run Static Analysis | |
| /usr/local/datadog-static-analyzer -i . -o report.sarif -f sarif | |
| # Upload results | |
| npx @datadog/datadog-ci sarif upload report.sarif | |
| software-composition-analysis: | |
| runs-on: ubuntu-latest | |
| name: Datadog SBOM Generation and Upload | |
| env: | |
| DD_API_KEY: ${{ secrets.DD_API_KEY }} | |
| DD_APP_KEY: ${{ secrets.DD_APP_KEY }} | |
| DD_SERVICE: go-corellium-api-client | |
| DD_ENV: ci | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Check imported libraries are secure and compliant | |
| id: datadog-software-composition-analysis | |
| run: | | |
| sudo apt update | |
| sudo apt install nodejs | |
| # Download the Datadog OSV Scanner v0.14.0: | |
| # https://github.com/DataDog/osv-scanner/releases | |
| DATADOG_OSV_SCANNER_URL=https://github.com/DataDog/osv-scanner/releases/download/v0.14.0/osv-scanner_linux_amd64.zip | |
| # Install OSV Scanner | |
| sudo mkdir /osv-scanner | |
| sudo curl -L -o /osv-scanner/osv-scanner.zip $DATADOG_OSV_SCANNER_URL | |
| sudo unzip /osv-scanner/osv-scanner.zip -d /osv-scanner | |
| sudo chmod 755 /osv-scanner/osv-scanner | |
| # Run OSV Scanner and scan your dependencies | |
| /osv-scanner/osv-scanner --skip-git -r --experimental-only-packages --format=cyclonedx-1-5 --paths-relative-to-scan-dir --output=sbom.json . | |
| # Upload results to Datadog | |
| npx @datadog/datadog-ci sbom upload sbom.json |