From fe509a9e9584112155d4fc5b25cb5f056f0dc43f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 27 Apr 2023 11:47:22 -0700 Subject: [PATCH] ci: [StepSecurity] Apply security best practices (#1134) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot * Update dependabot.yml --------- Signed-off-by: StepSecurity Bot Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- .devcontainer/Dockerfile | 2 +- .github/dependabot.yml | 44 ++++++++++++++ .github/workflows/chart.yaml | 5 ++ .github/workflows/codeql.yaml | 5 ++ .github/workflows/cover.yaml | 8 +++ .github/workflows/create-release.yaml | 5 ++ .github/workflows/dependency-review.yml | 27 +++++++++ .github/workflows/scorecards.yml | 76 +++++++++++++++++++++++++ .github/workflows/stale.yaml | 7 ++- .github/workflows/website.yaml | 9 ++- arc/conformance/plugin/Dockerfile | 2 +- 11 files changed, 185 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index a99347857..8a1a30f2f 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -2,7 +2,7 @@ # Copyright (c) Microsoft Corporation. All rights reserved. # Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information. #------------------------------------------------------------------------------------------------------------- -FROM golang:1.20 +FROM golang:1.20@sha256:403f48633fb5ebd49f9a2b6ad6719f912df23dae44974a0c9445be331e72ff5e # Avoid warnings by switching to noninteractive ENV DEBIAN_FRONTEND=noninteractive diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e4144cac9..68dae9ca9 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,15 +6,59 @@ updates: interval: "weekly" commit-message: prefix: "chore" + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" commit-message: prefix: "chore" + - package-ecosystem: "docker" directory: "/manifest_staging/charts/csi-secrets-store-provider-azure" schedule: interval: "weekly" commit-message: prefix: "chore" + + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: / + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /arc/conformance/plugin + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: gomod + directory: / + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: gomod + directory: /test/e2e + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: gomod + directory: /tools + schedule: + interval: daily + commit-message: + prefix: "chore" diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 08549961b..424bcf439 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -16,6 +16,11 @@ jobs: runs-on: ubuntu-20.04 steps: # pinning to the sha 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f from https://github.com/actions/checkout/releases/tag/v2.3.4 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab with: submodules: true diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 701a9ddc7..3d0af9360 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -20,6 +20,11 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab diff --git a/.github/workflows/cover.yaml b/.github/workflows/cover.yaml index 6579770ec..6b6048e4e 100644 --- a/.github/workflows/cover.yaml +++ b/.github/workflows/cover.yaml @@ -7,11 +7,19 @@ on: branches: - master +permissions: + contents: read + jobs: codecov: runs-on: ubuntu-latest steps: # pinning to the sha 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f from https://github.com/actions/checkout/releases/tag/v2.3.4 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # pinning to the sha 331ce1d993939866bb63c32c6cbbfd48fa76fc57 from https://github.com/actions/setup-go/releases/tag/v2.1.4 - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index 57e19aea9..003650b79 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -11,6 +11,11 @@ jobs: create-release: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout # pinning to the sha 5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f from https://github.com/actions/checkout/releases/tag/v2.3.4 uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..03d51f226 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..2e405acd5 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@8662eabe0e9f338a07350b7fd050732745f93848 # v2.3.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 78e25c63b..3ba2c4df5 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -12,7 +12,12 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0 with: days-before-stale: 14 days-before-close: 7 diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml index c4e236b6a..708b600dc 100644 --- a/.github/workflows/website.yaml +++ b/.github/workflows/website.yaml @@ -15,13 +15,18 @@ jobs: deploy: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab with: submodules: true # Fetch Hugo themes (true OR recursive) fetch-depth: 0 # Fetch all history for .GitInfo and .Lastmod - name: Setup Hugo - uses: peaceiris/actions-hugo@v2 + uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2.6.0 with: hugo-version: "0.75.1" extended: true @@ -30,7 +35,7 @@ jobs: run: | make -C website production-build - name: Deploy - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./website/public diff --git a/arc/conformance/plugin/Dockerfile b/arc/conformance/plugin/Dockerfile index 99042f3d5..70498b00a 100644 --- a/arc/conformance/plugin/Dockerfile +++ b/arc/conformance/plugin/Dockerfile @@ -2,7 +2,7 @@ ARG STEP_CLI_VERSION=0.22.0 ARG STEP_CLI_IMAGE=smallstep/step-cli:${STEP_CLI_VERSION} FROM $STEP_CLI_IMAGE as step-cli -FROM registry.k8s.io/build-image/debian-base:bullseye-v1.4.2 +FROM registry.k8s.io/build-image/debian-base:bullseye-v1.4.2@sha256:e6e8c911b1566556ae105d3600df04c600241f43b06d22c73592ebb446d60c49 ARG KUBE_VERSION=v1.25.3 ARG TARGETARCH