Unleash dependabot on Docker files and add dependency review workflow (…

…#4945) ## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @yurishkuro. Please merge the Pull Request to incorporate the requested changes. Please tag @yurishkuro on your message if you have any questions related to the PR. ## Security Fixes ### Keeping your actions up to date with Dependabot With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF). - [GitHub Security Guide](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) ### Add Dependency Review Workflow The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. - [Github Guide about Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) - [Github Guide for Configuring Dependency Review Action](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#using-inline-configuration-to-set-up-the-dependency-review-action) ## Feedback For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
jaegertracing · Nov 13, 2023 · cb25bf5 · cb25bf5
1 parent fa21f39
commit cb25bf5
Show file tree

Hide file tree

Showing 2 changed files with 107 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -35,3 +35,83 @@ updates:
     directory: /
     schedule:
       interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/agent
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/all-in-one
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/anonymizer
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/collector
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/es-index-cleaner
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/es-rollover
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/ingester
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/jaeger
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/query
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/remote-storage
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /cmd/tracegen
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /crossdock
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /docker/base
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /docker/debug
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /examples/hotrod
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /plugin/storage/cassandra
+    schedule:
+      interval: daily
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1