Merge pull request #58 from timoa/develop

Update GitHub Actions + new SAST scan

.github/workflows/codeql-analysis.yml

@@ -29,15 +29,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
+      uses: github/codeql-action/init@28eead240834b314f7def40f6fcba65d100d99b1 # tag=v2.1.6
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
+      uses: github/codeql-action/autobuild@28eead240834b314f7def40f6fcba65d100d99b1 # tag=v2.1.6
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +51,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
+      uses: github/codeql-action/analyze@28eead240834b314f7def40f6fcba65d100d99b1 # tag=v2.1.6

.github/workflows/nodejs.yml

@@ -63,7 +63,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  # -- SEMGREP ----------------------------------------------------------------
+  # -- SAST SCAN --------------------------------------------------------------
   code-security:
     runs-on: ubuntu-latest
     needs: tests
@@ -74,13 +74,18 @@ jobs:
       - name: Checkout
         uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3
 
-      - name: Semgrep SAST Scan
-        uses: returntocorp/semgrep-action@v1
+      - name: Perform Scan
+        uses: ShiftLeftSecurity/scan-action@master
+
+        env:
+          WORKSPACE: https://github.com/${{ github.repository }}/blob/${{ github.sha }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SCAN_ANNOTATE_PR: true
+
+      - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
         with:
-          config: >-
-            p/security-audit
-            p/secrets
-          auditOn: push
+          name: reports
+          path: reports
 
   # -- RELEASE ----------------------------------------------------------------
   release:
@@ -113,15 +118,13 @@ jobs:
         id: meta
         uses: docker/metadata-action@v3
         with:
-          images: |
-            timoa/app-stores-prometheus-exporter
+          images: ${{ github.repository }}
           tags: |
             type=schedule
-            type=ref,event=branch
-            type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
+            type=semver,pattern={{major}},enable=${{ !startsWith(github.ref, 'refs/tags/v0.') }}
             type=sha
 
       - name: Set up QEMU

package.json

@@ -41,7 +41,7 @@
     "app-store-scraper": "0.17.0",
     "google-play-scraper": "8.1.0",
     "prom-client": "11.5.3",
-    "snyk": "1.870.0",
+    "snyk": "1.877.0",
     "uuid": "3.4.0",
     "winston": "3.6.0"
   },