diff --git a/IaC_scan_output.json b/IaC_scan_output.json new file mode 100644 index 0000000..2d74546 --- /dev/null +++ b/IaC_scan_output.json @@ -0,0 +1,5444 @@ +{ + "check_type": "github_actions", + "results": { + "passed_checks": [ + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + } + }, + "code_block": [ + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 5, + 49 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + }, + "__startline__": 4, + "__endline__": 48 + } + }, + "code_block": [ + [ + 4, + " build:\n" + ], + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 4, + 49 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "build": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + }, + "__startline__": 4, + "__endline__": 48 + } + }, + "code_block": [ + [ + 4, + " build:\n" + ], + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 4, + 49 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + } + }, + "code_block": [ + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 5, + 49 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + } + }, + "code_block": [ + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 5, + 49 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": [ + "ubuntu-latest" + ], + "strategy": { + "matrix": { + "php": [ + "8.1", + "8.2", + "8.3" + ], + "__startline__": 9, + "__endline__": 10 + }, + "__startline__": 8, + "__endline__": 10 + }, + "steps": [ + { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + }, + { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + }, + { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + }, + { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + }, + { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + }, + { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + }, + { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + }, + { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + ], + "__startline__": 5, + "__endline__": 48 + } + }, + "code_block": [ + [ + 5, + " runs-on: \n" + ], + [ + 6, + " - ubuntu-latest\n" + ], + [ + 7, + " strategy:\n" + ], + [ + 8, + " matrix:\n" + ], + [ + 9, + " php: ['8.1', '8.2', '8.3']\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 5, + 49 + ], + "resource": "jobs(build)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + } + }, + "code_block": [ + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 11, + 18 + ], + "resource": "jobs(build).steps[1](Configure Git)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[2](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + } + }, + "code_block": [ + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 20, + 29 + ], + "resource": "jobs(build).steps[3](Setup PHP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + } + }, + "code_block": [ + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 28, + 33 + ], + "resource": "jobs(build).steps[4](Get Composer cache directory)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + } + }, + "code_block": [ + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 32, + 40 + ], + "resource": "jobs(build).steps[5](Cache Composer dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + } + }, + "code_block": [ + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 39, + 43 + ], + "resource": "jobs(build).steps[6](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + } + }, + "code_block": [ + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 42, + 47 + ], + "resource": "jobs(build).steps[7](Analyze & test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + }, + "code_block": [ + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 46, + 49 + ], + "resource": "jobs(build).steps[8](Run codecov)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + } + }, + "code_block": [ + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 11, + 18 + ], + "resource": "jobs(build).steps[1](Configure Git)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[2](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + } + }, + "code_block": [ + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 20, + 29 + ], + "resource": "jobs(build).steps[3](Setup PHP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + } + }, + "code_block": [ + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 28, + 33 + ], + "resource": "jobs(build).steps[4](Get Composer cache directory)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + } + }, + "code_block": [ + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 32, + 40 + ], + "resource": "jobs(build).steps[5](Cache Composer dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + } + }, + "code_block": [ + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 39, + 43 + ], + "resource": "jobs(build).steps[6](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + } + }, + "code_block": [ + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 42, + 47 + ], + "resource": "jobs(build).steps[7](Analyze & test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + }, + "code_block": [ + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 46, + 49 + ], + "resource": "jobs(build).steps[8](Run codecov)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + } + }, + "code_block": [ + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 11, + 18 + ], + "resource": "jobs(build).steps[1](Configure Git)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[2](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + } + }, + "code_block": [ + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 20, + 29 + ], + "resource": "jobs(build).steps[3](Setup PHP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + } + }, + "code_block": [ + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 28, + 33 + ], + "resource": "jobs(build).steps[4](Get Composer cache directory)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + } + }, + "code_block": [ + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 32, + 40 + ], + "resource": "jobs(build).steps[5](Cache Composer dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + } + }, + "code_block": [ + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 39, + 43 + ], + "resource": "jobs(build).steps[6](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + } + }, + "code_block": [ + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 42, + 47 + ], + "resource": "jobs(build).steps[7](Analyze & test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + }, + "code_block": [ + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 46, + 49 + ], + "resource": "jobs(build).steps[8](Run codecov)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Configure Git", + "if": "${{ matrix.os == 'windows-latest' }}", + "run": "git config --system core.autocrlf false\ngit config --ystem core.eol lf\n", + "__startline__": 11, + "__endline__": 17 + } + }, + "code_block": [ + [ + 11, + " - name: Configure Git\n" + ], + [ + 12, + " if: ${{ matrix.os == 'windows-latest' }}\n" + ], + [ + 13, + " run: |\n" + ], + [ + 14, + " git config --system core.autocrlf false\n" + ], + [ + 15, + " git config --ystem core.eol lf\n" + ], + [ + 16, + "\n" + ], + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 11, + 18 + ], + "resource": "jobs(build).steps[1](Configure Git)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Checkout", + "uses": "actions/checkout@v2", + "__startline__": 17, + "__endline__": 20 + } + }, + "code_block": [ + [ + 17, + " - name: Checkout\n" + ], + [ + 18, + " uses: actions/checkout@v2\n" + ], + [ + 19, + "\n" + ], + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 17, + 21 + ], + "resource": "jobs(build).steps[2](Checkout)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Setup PHP", + "uses": "shivammathur/setup-php@v2", + "with": { + "php-version": "${{ matrix.php }}", + "extensions": "json", + "tools": "composer", + "coverage": "xdebug", + "__startline__": 23, + "__endline__": 28 + }, + "__startline__": 20, + "__endline__": 28 + } + }, + "code_block": [ + [ + 20, + " - name: Setup PHP\n" + ], + [ + 21, + " uses: shivammathur/setup-php@v2\n" + ], + [ + 22, + " with:\n" + ], + [ + 23, + " php-version: ${{ matrix.php }}\n" + ], + [ + 24, + " extensions: json\n" + ], + [ + 25, + " tools: composer\n" + ], + [ + 26, + " coverage: xdebug\n" + ], + [ + 27, + "\n" + ], + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 20, + 29 + ], + "resource": "jobs(build).steps[3](Setup PHP)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Get Composer cache directory", + "id": "composercache", + "run": "echo \"::set-output name=dir::$(composer config cache-files-dir)\"", + "__startline__": 28, + "__endline__": 32 + } + }, + "code_block": [ + [ + 28, + " - name: Get Composer cache directory\n" + ], + [ + 29, + " id: composercache\n" + ], + [ + 30, + " run: echo \"::set-output name=dir::$(composer config cache-files-dir)\"\n" + ], + [ + 31, + "\n" + ], + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 28, + 33 + ], + "resource": "jobs(build).steps[4](Get Composer cache directory)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Cache Composer dependencies", + "uses": "actions/cache@v2", + "with": { + "path": "${{ steps.composercache.outputs.dir }}", + "key": "${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}", + "restore-keys": "${{ runner.os }}-composer-", + "__startline__": 35, + "__endline__": 39 + }, + "__startline__": 32, + "__endline__": 39 + } + }, + "code_block": [ + [ + 32, + " - name: Cache Composer dependencies\n" + ], + [ + 33, + " uses: actions/cache@v2\n" + ], + [ + 34, + " with:\n" + ], + [ + 35, + " path: ${{ steps.composercache.outputs.dir }}\n" + ], + [ + 36, + " key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.json') }}\n" + ], + [ + 37, + " restore-keys: ${{ runner.os }}-composer-\n" + ], + [ + 38, + "\n" + ], + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 32, + 40 + ], + "resource": "jobs(build).steps[5](Cache Composer dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Install dependencies", + "run": "composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}", + "__startline__": 39, + "__endline__": 42 + } + }, + "code_block": [ + [ + 39, + " - name: Install dependencies\n" + ], + [ + 40, + " run: composer install --no-interaction --prefer-dist --no-progress --no-suggest ${{ matrix.composer-options }}\n" + ], + [ + 41, + "\n" + ], + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 39, + 43 + ], + "resource": "jobs(build).steps[6](Install dependencies)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Analyze & test", + "run": "vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n", + "__startline__": 42, + "__endline__": 46 + } + }, + "code_block": [ + [ + 42, + " - name: Analyze & test\n" + ], + [ + 43, + " run: |\n" + ], + [ + 44, + " vendor/bin/phpunit -v --configuration ./phpunit.xml.dist --coverage-clover=coverage.xml\n" + ], + [ + 45, + "\n" + ], + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 42, + 47 + ], + "resource": "jobs(build).steps[7](Analyze & test)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "name": "Run codecov", + "uses": "codecov/codecov-action@v1", + "__startline__": 46, + "__endline__": 48 + } + }, + "code_block": [ + [ + 46, + " - name: Run codecov\n" + ], + [ + 47, + " uses: codecov/codecov-action@v1\n" + ] + ], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 46, + 49 + ], + "resource": "jobs(build).steps[8](Run codecov)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "build" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 9, + 19 + ], + "resource": "jobs(recordMetrics)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_5", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sign execution in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "recordMetrics": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + }, + "__startline__": 8, + "__endline__": 18 + } + }, + "code_block": [ + [ + 8, + " recordMetrics:\n" + ], + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 8, + 19 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignArtifacts", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_6", + "bc_check_id": null, + "check_name": "Found artifact build without evidence of cosign sbom attestation in pipeline", + "check_result": { + "result": "PASSED", + "results_configuration": { + "recordMetrics": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + }, + "__startline__": 8, + "__endline__": 18 + } + }, + "code_block": [ + [ + 8, + " recordMetrics:\n" + ], + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 8, + 19 + ], + "resource": "jobs", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.CosignSBOM", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 9, + 19 + ], + "resource": "jobs(recordMetrics)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 9, + 19 + ], + "resource": "jobs(recordMetrics)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + ], + "__startline__": 9, + "__endline__": 18 + } + }, + "code_block": [ + [ + 9, + " runs-on: ubuntu-latest\n" + ], + [ + 10, + " steps:\n" + ], + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 9, + 19 + ], + "resource": "jobs(recordMetrics)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_7", + "bc_check_id": null, + "check_name": "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. ", + "check_result": { + "result": "PASSED", + "results_configuration": { + "schedule": [ + { + "cron": "0 0 * * *", + "__startline__": 5, + "__endline__": 7 + } + ], + "__startline__": 4, + "__endline__": 7 + } + }, + "code_block": [ + [ + 4, + " schedule:\n" + ], + [ + 5, + " - cron: \"0 0 * * *\"\n" + ], + [ + 6, + "\n" + ], + [ + 7, + "jobs:\n" + ], + [ + 8, + " recordMetrics:\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 4, + 8 + ], + "resource": "on(Aggregit)", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.EmptyWorkflowDispatch", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_1", + "bc_check_id": null, + "check_name": "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + }, + "code_block": [ + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 11, + 19 + ], + "resource": "jobs(recordMetrics).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.AllowUnsecureCommandsOnJob", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_4", + "bc_check_id": null, + "check_name": "Suspicious use of netcat with IP address", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + }, + "code_block": [ + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 11, + 19 + ], + "resource": "jobs(recordMetrics).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ReverseShellNetcat", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_2", + "bc_check_id": null, + "check_name": "Ensure run commands are not vulnerable to shell injection", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + }, + "code_block": [ + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 11, + 19 + ], + "resource": "jobs(recordMetrics).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.ShellInjection", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + }, + { + "check_id": "CKV_GHA_3", + "bc_check_id": null, + "check_name": "Suspicious use of curl with secrets", + "check_result": { + "result": "PASSED", + "results_configuration": { + "uses": "michaeljolley/aggregit@v1", + "with": { + "githubToken": "${{ secrets.GITHUB_TOKEN }}", + "project_id": "${{ secrets.project_id }}", + "private_key": "${{ secrets.private_key }}", + "client_email": "${{ secrets.client_email }}", + "firebaseDbUrl": "${{ secrets.firebaseDbUrl }}", + "__startline__": 13, + "__endline__": 18 + }, + "__startline__": 11, + "__endline__": 18 + } + }, + "code_block": [ + [ + 11, + " - uses: michaeljolley/aggregit@v1\n" + ], + [ + 12, + " with:\n" + ], + [ + 13, + " githubToken: ${{ secrets.GITHUB_TOKEN }}\n" + ], + [ + 14, + " project_id: ${{ secrets.project_id }}\n" + ], + [ + 15, + " private_key: ${{ secrets.private_key }}\n" + ], + [ + 16, + " client_email: ${{ secrets.client_email }}\n" + ], + [ + 17, + " firebaseDbUrl: ${{ secrets.firebaseDbUrl }}\n" + ] + ], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 11, + 19 + ], + "resource": "jobs(recordMetrics).steps[1]", + "evaluations": null, + "check_class": "checkov.github_actions.checks.job.SuspectCurlInScript", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "recordMetrics" + ], + "workflow_name": "Aggregit" + } + ], + "failed_checks": [ + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/build.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/build.yml", + "repo_file_path": "/.github/workflows/build.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(build)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [] + ], + "job": [ + "" + ], + "workflow_name": "build" + }, + { + "check_id": "CKV2_GHA_1", + "bc_check_id": null, + "check_name": "Ensure top-level permissions are not set to write-all", + "check_result": { + "result": "FAILED", + "evaluated_keys": [ + "permissions" + ] + }, + "code_block": [], + "file_path": "/.github/workflows/metrics.yml", + "file_abs_path": "/tmp/ws-scm/OpenTok-PHP-SDK/.github/workflows/metrics.yml", + "repo_file_path": "/.github/workflows/metrics.yml", + "file_line_range": [ + 0, + 1 + ], + "resource": "on(Aggregit)", + "evaluations": null, + "check_class": "checkov.common.graph.checks_infra.base_check", + "fixed_definition": null, + "entity_tags": null, + "caller_file_path": null, + "caller_file_line_range": null, + "resource_address": null, + "severity": null, + "bc_category": null, + "benchmarks": null, + "description": null, + "short_description": null, + "vulnerability_details": null, + "connected_node": null, + "guideline": null, + "details": [], + "check_len": null, + "definition_context_file_path": null, + "triggers": [ + [ + "schedule" + ] + ], + "job": [ + "" + ], + "workflow_name": "Aggregit" + } + ], + "skipped_checks": [], + "parsing_errors": [] + }, + "summary": { + "passed": 49, + "failed": 2, + "skipped": 0, + "parsing_errors": 0, + "resource_count": 0, + "checkov_version": "3.2.174" + }, + "url": "Add an api key '--bc-api-key ' to see more detailed insights via https://bridgecrew.cloud" +}