From d3f6e7a2ee7fb071ada163edcf90fc3286424c31 Mon Sep 17 00:00:00 2001 From: Hippolyte Barraud Date: Wed, 19 Jun 2024 20:18:29 -0400 Subject: [PATCH] add CI security workflow (#668) Add supports for Datadog static analysis. It checks rules that validates the GitHub actions are safe and secure. --- .github/workflows/datadog-static-analysis.yml | 21 +++++++++++++++++++ static-analysis.datadog.yml | 4 ++++ 2 files changed, 25 insertions(+) create mode 100644 .github/workflows/datadog-static-analysis.yml create mode 100644 static-analysis.datadog.yml diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml new file mode 100644 index 000000000..17c65d8b1 --- /dev/null +++ b/.github/workflows/datadog-static-analysis.yml @@ -0,0 +1,21 @@ +on: [push] + +name: Datadog Static Analysis + +jobs: + static-analysis: + runs-on: ubuntu-latest + name: Datadog Static Analyzer + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Check code meets quality and security standards + id: datadog-static-analysis + uses: DataDog/datadog-static-analyzer-github-action@v1 + with: + dd_api_key: ${{ secrets.DD_STATIC_ANALYSIS_API_KEY }} + dd_app_key: ${{ secrets.DD_STATIC_ANALYSIS_APP_KEY }} + dd_service: dd-trace-py + dd_env: ci + dd_site: datadoghq.com + cpu_count: 2 diff --git a/static-analysis.datadog.yml b/static-analysis.datadog.yml new file mode 100644 index 000000000..a46fba391 --- /dev/null +++ b/static-analysis.datadog.yml @@ -0,0 +1,4 @@ +rulesets: + - sit-ci-best-practices: + only: + - ".github/workflows"