Skip to content

nginxinc/compliance-rules

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

106 Commits
.github/workflows
.github/workflows
 
 
README.md
README.md
 
 

Repository files navigation

Compliance-rules

Compliance repo with main rules for SCA and SAST scan

This repository provides common GitHub workflows for Mend and CodeQL scans.

Configure Mand workflow in a GitHub repository

  • Create mend.yml workflow in your project repository
name: Mend

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  workflow_dispatch:
    inputs:
      branch:
        type: string
        required: false
        default: main
  workflow_call:
    inputs:
      branch:
        type: string
        required: true

permissions:
  contents: read

jobs:
  mend:
    uses: nginxinc/compliance-rules/.github/workflows/mend.yml@<git_tag>
    secrets: inherit
    with:
      product_name: <caller_product_name>_${{ github.head_ref || github.ref_name }}
      project_name: <caller_project_name>
  • In the mend job reference the main mend workflow (in this repository)
uses: nginxinc/compliance-rules/.github/workflows/mend.yml@<git_tag>
  • Configure product_name and project_name variables. They represent caller github repository product and project name.
product_name: <caller_product_name>_${{ github.head_ref || github.ref_name }}
project_name: <caller_project_name>

Mend workflow

  1. GitHub triggers the mend workflow defined in a project repository (for example ProjectABC)
  2. Mend job references mend rules (main mend.yml) defined in the workflow in this repository.
  3. Mend scans the ProjectABC code and generates vulenerability report.
  4. Depends on the scan (vulnerability) rules defined in the main mand.yml the pipeline fails or passes the scan.
  5. The GitHub repository (ProjectA) must be configured to reject PRs (prevent from merging with the main branch) if the mend pipeline fails.

Configure CodeQL workflow in a GitHub repository

  • Create codeql.yml workflow in your project repository
name: "CodeQL"

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  workflow_dispatch:
    inputs:
      branch:
        type: string
        required: false
        default: main
  workflow_call:
    inputs:
      branch:
        type: string
        required: true

concurrency:
  group: ${{ github.ref_name }}-codeql
  cancel-in-progress: true

permissions:
  contents: read

jobs:
  codeql:
    uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@<git_tag>
    with:
      requested_languages: go
  • In the codeql job reference the main codeql workflow (in this repository)
uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@<git_tag>

CodeQL workflow

  1. GitHub triggers the CodeQL workflow defined in a project repository (for example ProjectABC)
  2. CodeQL job references codeql rules (main codeql.yml) defined in the workflow in this repository.
  3. CodeQL analyses the ProjectABC code.
  4. Depends on the results the pipeline fails or passes.
  5. The GitHub repository (ProjectA) must be configured to reject PRs (prevent from merging with the main branch) if the codeql detects issues and the pipeline fails.

About

Compliance repo with main rules for SCA and SAST scan

Resources

Readme

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases 1

Initial release Latest
May 15, 2025

Packages

No packages published

Contributors 2

  •  
  •