From b6bc4731227368a3bec5aae41ec6e0630db9e75d Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Sat, 16 Dec 2023 01:33:14 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/dependency-review.yml | 27 ++++++++ .github/workflows/flux-diff.yaml | 8 +++ .github/workflows/helm-release-differ.yaml | 16 ++++- .github/workflows/mega-linter.yaml | 7 +- .github/workflows/pr-labeler.yaml | 5 ++ .github/workflows/schedule-renovate.yaml | 9 ++- .github/workflows/scorecards.yml | 76 ++++++++++++++++++++++ .pre-commit-config.yaml | 4 ++ 8 files changed, 146 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..fd27e55b6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/flux-diff.yaml b/.github/workflows/flux-diff.yaml index ee0369a88..8604cf857 100644 --- a/.github/workflows/flux-diff.yaml +++ b/.github/workflows/flux-diff.yaml @@ -6,6 +6,9 @@ on: branches: ["main"] paths: ["kubernetes/**.yaml"] +permissions: + contents: read + jobs: flux-diff: name: Flux Diff @@ -17,6 +20,11 @@ jobs: path: ["kubernetes"] resource: ["helmrelease", "kustomization"] steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Generate Token uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token diff --git a/.github/workflows/helm-release-differ.yaml b/.github/workflows/helm-release-differ.yaml index a34841235..305d9c2e4 100644 --- a/.github/workflows/helm-release-differ.yaml +++ b/.github/workflows/helm-release-differ.yaml @@ -18,6 +18,11 @@ jobs: outputs: matrix: ${{ steps.set-matrix.outputs.matrix }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -39,6 +44,11 @@ jobs: strategy: matrix: ${{ fromJSON(needs.changed-files.outputs.matrix) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -49,7 +59,7 @@ jobs: path: default - name: Setup Homebrew - uses: Homebrew/actions/setup-homebrew@master + uses: Homebrew/actions/setup-homebrew@55e35ac78132cc31ce174408f40a9676e64aa0e2 # master - name: Setup Tools run: | @@ -68,7 +78,7 @@ jobs: - name: Find Comment if: ${{ always() && steps.diff.outputs.diff != '' }} - uses: peter-evans/find-comment@v2.4.0 + uses: peter-evans/find-comment@a54c31d7fa095754bfef525c0c8e5e5674c4b4b1 # v2.4.0 id: find-comment with: issue-number: ${{ github.event.pull_request.number }} @@ -77,7 +87,7 @@ jobs: - name: Create or update comment if: ${{ always() && steps.diff.outputs.diff != '' }} - uses: peter-evans/create-or-update-comment@v3.1.0 + uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0 with: comment-id: ${{ steps.find-comment.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} diff --git a/.github/workflows/mega-linter.yaml b/.github/workflows/mega-linter.yaml index adcc6df1b..e29cb68b8 100644 --- a/.github/workflows/mega-linter.yaml +++ b/.github/workflows/mega-linter.yaml @@ -10,6 +10,11 @@ jobs: name: MegaLinter runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: @@ -23,7 +28,7 @@ jobs: private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" - name: MegaLinter - uses: oxsecurity/megalinter/flavors/terraform@v7.7.0 + uses: oxsecurity/megalinter/flavors/terraform@7e042c726c68415475b05a65a686c612120a1232 # v7.7.0 env: VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }} GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" diff --git a/.github/workflows/pr-labeler.yaml b/.github/workflows/pr-labeler.yaml index fe9ddff78..8a25d1898 100644 --- a/.github/workflows/pr-labeler.yaml +++ b/.github/workflows/pr-labeler.yaml @@ -12,6 +12,11 @@ jobs: name: Pull Request Labeler runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Generate Token uses: actions/create-github-app-token@2986852ad836768dfea7781f31828eb3e17990fa # v1.6.2 id: app-token diff --git a/.github/workflows/schedule-renovate.yaml b/.github/workflows/schedule-renovate.yaml index cbf8dd338..0da98931a 100644 --- a/.github/workflows/schedule-renovate.yaml +++ b/.github/workflows/schedule-renovate.yaml @@ -34,8 +34,13 @@ jobs: runs-on: ubuntu-latest steps: # https://github.com/marketplace/actions/github-app-token + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Generate Token - uses: tibdex/github-app-token@v2.1.0 + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0 id: generate-token with: app_id: "${{ secrets.BOT_APP_ID }}" @@ -54,7 +59,7 @@ jobs: # https://github.com/marketplace/actions/renovate-bot-github-action - name: Renovate - uses: renovatebot/github-action@v39.2.3 + uses: renovatebot/github-action@b8ce565a2e98de1fec9696a76fba7beb01ec29b2 # v39.2.3 with: configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}" token: "${{ steps.generate-token.outputs.token }}" diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..d57213e9d --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@03e7845b7bfcd5e7fb63d1ae8c61b0e791134fab # v2.22.11 + with: + sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d00d2fd67..940227635 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -125,3 +125,7 @@ repos: kubernetes/talos-flux/apps/home-automation/home-assistant/app/patches/db-init.yaml| kubernetes/talos-flux/apps/github/actions-runner-controller/.+/helm-release.yaml )$() + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks