From fe5e0eab00054955bf65ef20c796842d32d4e12f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 15 May 2023 16:42:12 -0700 Subject: [PATCH] ci: [StepSecurity] Apply security best practices (#2726) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- .github/dependabot.yml | 28 +++++++++ .github/workflows/benchmark.yaml | 16 ++++-- .github/workflows/codeql.yaml | 5 ++ .github/workflows/dependency-review.yml | 27 +++++++++ .github/workflows/license-lint.yaml | 12 +++- .github/workflows/pre-release.yaml | 5 ++ .github/workflows/release-pr.yaml | 9 ++- .github/workflows/release.yaml | 14 ++++- .github/workflows/scorecards.yml | 76 +++++++++++++++++++++++++ .github/workflows/upgrade.yaml | 7 ++- .github/workflows/website.yaml | 11 +++- .github/workflows/workflow.yaml | 64 +++++++++++++++++---- build/tooling/Dockerfile | 2 +- test/image/Dockerfile | 2 +- 14 files changed, 249 insertions(+), 29 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f1dbf744dc4..deda03fbbbc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -26,3 +26,31 @@ updates: update-types: - "version-update:semver-major" - "version-update:semver-minor" + + - package-ecosystem: "docker" + directory: / + schedule: + interval: "weekly" + commit-message: + prefix: "chore" + + - package-ecosystem: "docker" + directory: "/build/tooling" + schedule: + interval: "weekly" + commit-message: + prefix: "chore" + + - package-ecosystem: "docker" + directory: "/test/externaldata/dummy-provider" + schedule: + interval: "weekly" + commit-message: + prefix: "chore" + + - package-ecosystem: "docker" + directory: "/test/image" + schedule: + interval: "weekly" + commit-message: + prefix: "chore" diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml index 3246e6457ab..6596e84bcc7 100644 --- a/.github/workflows/benchmark.yaml +++ b/.github/workflows/benchmark.yaml @@ -3,6 +3,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: benchmark: name: "Benchmark" @@ -13,6 +16,11 @@ jobs: contents: write pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - uses: izhangzhihao/delete-comment@98aa1ea5c6304048edf951c20b3114e03c785c79 with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -20,14 +28,14 @@ jobs: issue_number: ${{ github.event.issue.number }} - name: Update status - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@3383acd359705b10cb1eeef05c0e88c056ea4666 # v3.0.0 with: issue-number: ${{ github.event.issue.number }} body: | [Running benchmark here...](${{ github.server.url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) - name: Check out base code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: ref: ${{ github.base_ref }} @@ -35,7 +43,7 @@ jobs: run: make benchmark-test BENCHMARK_FILE_NAME="../base_benchmarks.txt" - name: Check out code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Run benchmark with incoming changes run: make benchmark-test BENCHMARK_FILE_NAME="pr_benchmarks.txt" @@ -53,7 +61,7 @@ jobs: echo '$delimiter' >> $GITHUB_OUTPUT - name: Create commit comment - uses: peter-evans/create-or-update-comment@v3 + uses: peter-evans/create-or-update-comment@3383acd359705b10cb1eeef05c0e88c056ea4666 # v3.0.0 with: issue-number: ${{ github.event.issue.number }} body: | diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 7d76dc8a5d2..5682b42930c 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -16,6 +16,11 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000000..03d51f226e5 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/license-lint.yaml b/.github/workflows/license-lint.yaml index 923e3318d0c..f76c9e28faf 100644 --- a/.github/workflows/license-lint.yaml +++ b/.github/workflows/license-lint.yaml @@ -11,6 +11,9 @@ on: - "go.sum" - "vendor/**" +permissions: + contents: read + jobs: license-lint: name: "license-lint" @@ -19,13 +22,18 @@ jobs: permissions: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - name: Check out code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: license-lint run: | diff --git a/.github/workflows/pre-release.yaml b/.github/workflows/pre-release.yaml index 2f41e1ffdc8..f678f9782d9 100644 --- a/.github/workflows/pre-release.yaml +++ b/.github/workflows/pre-release.yaml @@ -18,6 +18,11 @@ jobs: if: github.ref == 'refs/heads/master' && github.event_name == 'push' && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 30 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c diff --git a/.github/workflows/release-pr.yaml b/.github/workflows/release-pr.yaml index af5bcdad928..f9729e4f542 100644 --- a/.github/workflows/release-pr.yaml +++ b/.github/workflows/release-pr.yaml @@ -17,8 +17,13 @@ jobs: create-release-pull-request: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -72,7 +77,7 @@ jobs: run: make version-docs NEWVERSION=v${MAJOR_VERSION}.${MINOR_VERSION}.x - name: Create release pull request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 # v5.0.0 with: commit-message: "chore: Prepare ${{ env.NEWVERSION }} release" title: "chore: Prepare ${{ env.NEWVERSION }} release" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index fd6e25667d7..1d11531603b 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,6 +9,9 @@ env: CRD_IMAGE_REPO: openpolicyagent/gatekeeper-crds GATOR_IMAGE_REPO: openpolicyagent/gator +permissions: + contents: read + jobs: tagged-release: name: "Tagged Release" @@ -18,11 +21,16 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') && github.repository == 'open-policy-agent/gatekeeper' timeout-minutes: 45 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -127,7 +135,7 @@ jobs: PLATFORMS: "linux-amd64 linux-arm64 darwin-amd64 darwin-arm64" - name: Create GitHub release - uses: "marvinpinto/action-automatic-releases@v1.2.1" + uses: "marvinpinto/action-automatic-releases@919008cf3f741b179569b7a6fb4d8860689ab7f0 # v1.2.1" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" prerelease: false @@ -136,7 +144,7 @@ jobs: _dist/*.tar.gz - name: Publish Helm chart - uses: stefanprodan/helm-gh-pages@v1.7.0 + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: token: ${{ secrets.GITHUB_TOKEN }} charts_dir: charts diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 00000000000..2e405acd5a7 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@8662eabe0e9f338a07350b7fd050732745f93848 # v2.3.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/upgrade.yaml b/.github/workflows/upgrade.yaml index 46f7f53a275..a3936fce4e8 100644 --- a/.github/workflows/upgrade.yaml +++ b/.github/workflows/upgrade.yaml @@ -24,6 +24,11 @@ jobs: matrix: HELM_VERSION: ["3.7.2"] steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c @@ -94,7 +99,7 @@ jobs: kubectl logs -n gatekeeper-system -l run=dummy-provider --tail=-1 > logs-${{ matrix.HELM_VERSION }}-dummy-provider-post-upgrade.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: logs diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml index 57d36ebf52d..f3a98f5a0bd 100644 --- a/.github/workflows/website.yaml +++ b/.github/workflows/website.yaml @@ -18,10 +18,15 @@ jobs: run: working-directory: website steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 with: node-version: "16" @@ -30,7 +35,7 @@ jobs: run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT - name: Cache dependencies - uses: actions/cache@v3 + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 with: path: ${{ steps.yarn-cache.outputs.dir }} key: ${{ runner.os }}-website-${{ hashFiles('**/yarn.lock') }} @@ -41,7 +46,7 @@ jobs: - run: yarn build - name: Deploy - uses: peaceiris/actions-gh-pages@v3.9.3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./website/build diff --git a/.github/workflows/workflow.yaml b/.github/workflows/workflow.yaml index 25796993354..319705103b9 100644 --- a/.github/workflows/workflow.yaml +++ b/.github/workflows/workflow.yaml @@ -31,8 +31,13 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 5 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -41,7 +46,7 @@ jobs: # source: https://github.com/golangci/golangci-lint-action - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5 # v3.4.0 with: # version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version version: v1.51.2 @@ -51,8 +56,13 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 10 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -63,7 +73,7 @@ jobs: run: make native-test - name: Codecov Upload - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # v3.1.3 with: flags: unittests file: ./cover.out @@ -74,10 +84,15 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 10 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - name: Check go.mod and manifests @@ -93,8 +108,13 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 5 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -118,11 +138,16 @@ jobs: matrix: KUBERNETES_VERSION: ["1.24.12", "1.25.8", "1.26.3", "1.27.1"] steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -155,7 +180,7 @@ jobs: kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-audit.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: logs @@ -171,6 +196,11 @@ jobs: HELM_VERSION: ["3.7.2"] GATEKEEPER_NAMESPACE: ["gatekeeper-system", "custom-namespace"] steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c @@ -215,7 +245,7 @@ jobs: kubectl logs -n ${{ matrix.GATEKEEPER_NAMESPACE }} -l run=dummy-provider --tail=-1 > logs-helm-${{ matrix.HELM_VERSION }}-${{ matrix.GATEKEEPER_NAMESPACE }}-dummy-provider.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: helm-logs @@ -228,11 +258,16 @@ jobs: timeout-minutes: 15 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c - name: Set up Go 1.20 - uses: actions/setup-go@v4 + uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" @@ -269,7 +304,7 @@ jobs: kubectl logs -n gatekeeper-system -l control-plane=audit-controller --tail=-1 > logs-generatorexpansion-audit.json - name: Upload artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 if: ${{ always() }} with: name: generatorexpansion-logs @@ -281,6 +316,11 @@ jobs: runs-on: ubuntu-22.04 timeout-minutes: 15 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Check out code into the Go module directory uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c diff --git a/build/tooling/Dockerfile b/build/tooling/Dockerfile index b9418e12fef..b6ff255a07c 100644 --- a/build/tooling/Dockerfile +++ b/build/tooling/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-bullseye +FROM golang:1.20-bullseye@sha256:595c9af0430dd84bad33020e7e9e328af4bd1a1aabd46a03b5bf6f252cdbecf3 RUN GO111MODULE=on go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.10.0 RUN GO111MODULE=on go install k8s.io/code-generator/cmd/conversion-gen@v0.25.4 diff --git a/test/image/Dockerfile b/test/image/Dockerfile index 7b0120ba449..6a54e597156 100644 --- a/test/image/Dockerfile +++ b/test/image/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-bullseye as builder +FROM golang:1.20-bullseye@sha256:595c9af0430dd84bad33020e7e9e328af4bd1a1aabd46a03b5bf6f252cdbecf3 as builder ARG BATS_VERSION ARG ORAS_VERSION