diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml index 4c66c11..9c13651 100644 --- a/.github/workflows/security-gate.yml +++ b/.github/workflows/security-gate.yml @@ -1,13 +1,21 @@ -name: Security Gate +name: Security Gate - LESIS on: + push: + branches: + - main + - develop pull_request: branches: - main - develop +permissions: + security-events: read + contents: read + jobs: - gate: + build: runs-on: ubuntu-latest env: MAX_CRITICAL: 0 @@ -22,12 +30,15 @@ jobs: - name: Pull Docker image from GitHub Container Registry run: docker pull ghcr.io/instriq/security-gate/security-gate:latest - - name: Verify security alerts from dependabot + - name: Verify security alerts from GHAS run: | docker run ghcr.io/instriq/security-gate/security-gate:latest \ - -t $GITHUB_TOKEN \ - -r ${{ github.repository }} \ - --critical $MAX_CRITICAL \ - --high $MAX_HIGH \ - --medium $MAX_MEDIUM \ - --low $MAX_LOW \ No newline at end of file + -t "$GITHUB_TOKEN" \ + -r "${{ github.repository }}" \ + -c "$MAX_CRITICAL" \ + -h "$MAX_HIGH" \ + -m "$MAX_MEDIUM" \ + -l "$MAX_LOW" \ + --dependency-alerts \ + --secret-alerts \ + --code-alerts diff --git a/lib/Zarn/Engine/Source_to_Sink.pm b/lib/Zarn/Engine/Source_to_Sink.pm index c4d07c9..dc9c714 100644 --- a/lib/Zarn/Engine/Source_to_Sink.pm +++ b/lib/Zarn/Engine/Source_to_Sink.pm @@ -20,7 +20,7 @@ package Zarn::Engine::Source_to_Sink { ); if ($ast && $rules) { - foreach my $token (@{$ast -> find('PPI::Token')}) { + foreach my $token (@{$ast -> find('PPI::Token') || []}) { foreach my $rule (@{$rules}) { my @sample = $rule -> {sample} -> @*; my $category = $rule -> {category}; @@ -63,4 +63,4 @@ package Zarn::Engine::Source_to_Sink { } } -1; \ No newline at end of file +1;