-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[StepSecurity] Apply security best practices #404
[StepSecurity] Apply security best practices #404
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #404 +/- ##
==========================================
- Coverage 65.46% 64.34% -1.13%
==========================================
Files 27 28 +1
Lines 1894 1949 +55
==========================================
+ Hits 1240 1254 +14
- Misses 579 620 +41
Partials 75 75 ☔ View full report in Codecov by Sentry. |
.github/workflows/scorecards.yml
Outdated
|
||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we opt-out of using stepout's action runner?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i agree with @bcho. unless there is a documented recommendation from MSFT OSS guidelines, let's not leverage external vendor for hardening.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you @weinong and @bcho for this, really appreciate it essentially the step-security is well trusted by GH as well, here is the few recommendations from within GH docs:
Also I noticed internal msft OSS project page for OSS score board has the relevance of this, having said that I just want to mention that I think I can directly fetch and push removed harden runner
for this PR here.
The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available.
Remediation steps
Set top-level permissions as read-all or contents: read as described in GitHub's documentation.
Set any required write permissions at the job-level. Only set the permissions required for that job; do not set permissions: write-all at the job level.
To help determine the permissions needed for your workflows, you may use StepSecurity's online tool by ticking the "Restrict permissions for GITHUB_TOKEN". You may also tick the "Pin actions to a full length commit SHA" to fix issues found by the Pinned-dependencies check.
Update the PR is updated with removed Harden Runner
:) thanks all, will leave this comment as it is please feel free to resolve.
Thanks all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to drop all step-security/harden-runner action call because we don't know what's the implications at this point. I would prefer to keep the default github actions runner for now. Other than that, LGTM
LGTM. @bcho, can I use your second pair of eyes? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Summary
This pull request is created by StepSecurity at the request of @Tatsinnit. Please merge the Pull Request to incorporate the requested changes. Please tag @Tatsinnit on your message if you have any questions related to the PR.
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Harden Runner
Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without
sudo
access.Harden runner usage
You can find link to view insights and policy recommendation in the build log
Please refer to documentation to find more details.
Keeping your actions up to date with Dependabot
With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).
Add Dependency Review Workflow
The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.
Add OpenSSF Scorecard Workflow
OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.
Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.
Maintain Code Quality with Pre-Commit
Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.
Feedback
For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io