From 70c77f23c41639be75f7520336408915d46cf26f Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Wed, 5 Nov 2025 20:20:47 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/GitGuardian.yml | 9 +++++++-- .github/workflows/MegaLinter.yml | 14 +++++++++++--- .github/workflows/PSScriptAnalyzer.yml | 9 +++++++-- .pre-commit-config.yaml | 6 ++++++ 4 files changed, 31 insertions(+), 7 deletions(-) create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/GitGuardian.yml b/.github/workflows/GitGuardian.yml index 41b51b7..1ccf3f2 100644 --- a/.github/workflows/GitGuardian.yml +++ b/.github/workflows/GitGuardian.yml @@ -9,12 +9,17 @@ jobs: name: GitGuardian Scan runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: fetch-depth: 0 # fetch all history so multiple commits can be scanned - name: GitGuardian Scan - uses: GitGuardian/ggshield/actions/secret@v1.43.0 + uses: GitGuardian/ggshield/actions/secret@e4f45829b9b6f4664fe70d2a4dcd307a6833f422 # v1.43.0 env: GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} diff --git a/.github/workflows/MegaLinter.yml b/.github/workflows/MegaLinter.yml index c3c5941..9136557 100644 --- a/.github/workflows/MegaLinter.yml +++ b/.github/workflows/MegaLinter.yml @@ -18,6 +18,9 @@ concurrency: group: ${{ github.ref }}-${{ github.workflow }} cancel-in-progress: true +permissions: + contents: read + jobs: megalinter: name: MegaLinter @@ -33,8 +36,13 @@ jobs: steps: # Git Checkout + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} @@ -47,7 +55,7 @@ jobs: # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/flavors/ - uses: oxsecurity/megalinter/flavors/dotnet@v8 + uses: oxsecurity/megalinter/flavors/dotnet@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8.8.0 id: ml @@ -87,7 +95,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: success() || failure() with: name: MegaLinter reports diff --git a/.github/workflows/PSScriptAnalyzer.yml b/.github/workflows/PSScriptAnalyzer.yml index a05663e..e5f6b53 100644 --- a/.github/workflows/PSScriptAnalyzer.yml +++ b/.github/workflows/PSScriptAnalyzer.yml @@ -19,7 +19,12 @@ jobs: name: 🕵️‍♂️ PSScriptAnalyzer runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + with: + egress-policy: audit + + - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: 🕵️‍♂️ Run PSScriptAnalyzer uses: microsoft/psscriptanalyzer-action@6b2948b1944407914a58661c49941824d149734f @@ -34,6 +39,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: ⬆️ Upload SARIF results file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3.31.2 with: sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..479defe --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +repos: +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace