add long commit delay and scanning

2025-05-10 08:29:25 -04:00 · 2025-05-10 08:29:25 -04:00 · f6c2996cd4
commit f6c2996cd4
parent e4cb868623
4 changed files with 83 additions and 3 deletions
--- a/.gitea/workflows/datadog-sca.yml
+++ b/.gitea/workflows/datadog-sca.yml
@ -0,0 +1,18 @@
+on: [push]
+
+name: Datadog Software Composition Analysis
+
+jobs:
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog SBOM Generation and Upload
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check imported libraries are secure and compliant
+      id: datadog-software-composition-analysis
+      uses: DataDog/datadog-sca-github-action@main
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
--- a/.gitea/workflows/datadog-secrets-scanning.yml
+++ b/.gitea/workflows/datadog-secrets-scanning.yml
@ -0,0 +1,21 @@
+on: [push]
+
+name: Datadog Secrets Scanning
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check code for comitted secrets
+      id: datadog-static-analysis
+      uses: DataDog/datadog-static-analyzer-github-action@v1
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
+        secrets_enabled: true
+        static_analysis_enabled: false
+        cpu_count: 2
--- a/.gitea/workflows/datadog-static-analysis.yml
+++ b/.gitea/workflows/datadog-static-analysis.yml
@ -0,0 +1,41 @@
+on: [push]
+
+name: Datadog Static Analysis
+
+jobs:
+  static-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+    - name: Check code meets quality and security standards
+      id: datadog-static-analysis
+      uses: DataDog/datadog-static-analyzer-github-action@v1
+      with:
+        dd_api_key: ${{ secrets.DD_API_KEY }}
+        dd_app_key: ${{ secrets.DD_APP_KEY }}
+        dd_site: datadoghq.com
+        cpu_count: 2
+    - name: Run Semgrep
+      run: |
+        python3 -m pip install --break-system-package semgrep
+        semgrep scan --sarif -o /tmp/semgrep.sarif 
+        cat /tmp/semgrep.sarif
+        # Download and install nvm:
+        curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.2/install.sh | bash
+        # in lieu of restarting the shell
+        \. "$HOME/.nvm/nvm.sh"
+        # Download and install Node.js:
+        nvm install 22
+        # Verify the Node.js version:
+        node -v # Should print "v22.14.0".
+        nvm current # Should print "v22.14.0".
+        # Verify npm version:
+        npm -v # Should print "10.9.2".
+        npm install -g @datadog/datadog-ci
+        datadog-ci sarif upload /tmp/semgrep.sarif
+      env:
+        DD_API_KEY: ${{ secrets.DD_API_KEY }}
+        DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
+        DD_SITE: datadoghq.com
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@ -5,7 +5,7 @@ on:
    schedule:
        # This expression means "run every 3 minutes". Useful for testing.
        # To revert to the original 8-hour schedule, change this to '0 */8 * * *'.
-        - cron: "*/3 * * * *"
+        - cron: "0 */8 * * *"

    # To trigger manually for testing, you can add workflow_dispatch:
    # workflow_dispatch:
@ -60,8 +60,8 @@ jobs:
                      DWSAuthor Eight <adwsuthor8@example.com>
                      DWSAuthor Nine <autdwshor9@example.com>
                      DWSAuthor Ten <autdwshor10@example.com>
-                  COMMIT_COUNT: 2 # Number of commits to create
-                  SLEEP_SECONDS: 15 # Delay between commits in seconds
+                  COMMIT_COUNT: 12 # Number of commits to create
+                  SLEEP_SECONDS: 120 # Delay between commits in seconds
                  TARGET_BRANCH: main # The branch to commit to

              run: |