From b6028b8d3c016b7b43bd1ebf3bceab1073753ad0 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 25 Jun 2026 15:25:18 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 11 +++ .github/workflows/dependency-review.yml | 27 +++++++ .github/workflows/scorecards.yml | 81 ++++++++++++++++++++ .github/workflows/setup-test.yml | 7 +- .github/workflows/test-negative.yml | 26 ++++++- .github/workflows/test-non-matrix.yml | 28 ++++++- .github/workflows/test-positive.yml | 32 ++++++-- .github/workflows/test-reusable-workflow.yml | 21 ++++- .github/workflows/test-special-chars.yml | 44 ++++++++--- .github/workflows/test-validation.yml | 28 ++++++- .pre-commit-config.yaml | 10 +++ 11 files changed, 282 insertions(+), 33 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..bb85b6f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: npm + directory: / + schedule: + interval: daily diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..0fb41f2 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000..fe82bd0 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,81 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3.36.2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/setup-test.yml b/.github/workflows/setup-test.yml index 663f771..1c4ae72 100644 --- a/.github/workflows/setup-test.yml +++ b/.github/workflows/setup-test.yml @@ -17,11 +17,16 @@ jobs: do: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: writer diff --git a/.github/workflows/test-negative.yml b/.github/workflows/test-negative.yml index 7b992c8..b174973 100644 --- a/.github/workflows/test-negative.yml +++ b/.github/workflows/test-negative.yml @@ -10,11 +10,16 @@ jobs: matrix: target: ["one", "two"] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: writer @@ -27,7 +32,12 @@ jobs: continue-on-error: true needs: [setup] steps: - - uses: actions/download-artifact@v8 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - id: current run: |- @@ -40,7 +50,12 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: '0' actual: "${{ needs.test.outputs.result }}" @@ -50,5 +65,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.github/workflows/test-non-matrix.yml b/.github/workflows/test-non-matrix.yml index 8cd2634..b1f70fe 100644 --- a/.github/workflows/test-non-matrix.yml +++ b/.github/workflows/test-non-matrix.yml @@ -7,6 +7,11 @@ jobs: setup: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" @@ -15,8 +20,13 @@ jobs: continue-on-error: true needs: [setup] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: current @@ -32,18 +42,23 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: '{"result":"one"}' actual: "${{ needs.test.outputs.result }}" - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'success' actual: "${{ needs.test.outputs.outcome }}" - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'one' actual: ${{ fromJson(needs.test.outputs.result).result }} @@ -53,5 +68,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.github/workflows/test-positive.yml b/.github/workflows/test-positive.yml index 58bf1a4..1012a55 100644 --- a/.github/workflows/test-positive.yml +++ b/.github/workflows/test-positive.yml @@ -10,11 +10,16 @@ jobs: matrix: target: ["one", "two"] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: writer @@ -25,12 +30,12 @@ jobs: result: ${{ matrix.target }} test: existing_value - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: ${{ matrix.target }} actual: ${{ fromJson(steps.writer.outputs.result).result }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: existing_value actual: ${{ fromJson(steps.writer.outputs.result).test }} @@ -40,7 +45,12 @@ jobs: continue-on-error: true needs: [setup] steps: - - uses: actions/download-artifact@v8 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - id: current run: |- @@ -54,12 +64,17 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: '2' actual: "${{ needs.test.outputs.result }}" - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'success' actual: "${{ needs.test.outputs.outcome }}" @@ -69,5 +84,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.github/workflows/test-reusable-workflow.yml b/.github/workflows/test-reusable-workflow.yml index 03d2054..05c7ffe 100644 --- a/.github/workflows/test-reusable-workflow.yml +++ b/.github/workflows/test-reusable-workflow.yml @@ -18,7 +18,12 @@ jobs: continue-on-error: true needs: [setup] steps: - - uses: actions/download-artifact@v8 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - id: current run: |- @@ -32,12 +37,17 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: '2' actual: "${{ needs.test.outputs.result }}" - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'success' actual: "${{ needs.test.outputs.outcome }}" @@ -47,5 +57,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.github/workflows/test-special-chars.yml b/.github/workflows/test-special-chars.yml index 85a8318..4a3708e 100644 --- a/.github/workflows/test-special-chars.yml +++ b/.github/workflows/test-special-chars.yml @@ -17,11 +17,16 @@ jobs: matrix: target: ["one", "two"] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: writer @@ -34,44 +39,44 @@ jobs: test2: "comment: URL for deploy: ' https://frontend-docs-259.website.dev" test3: ${{ toJson(inputs.paths) }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: ${{ matrix.target }} actual: ${{ fromJson(steps.writer.outputs.result).result2 }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: ${{ matrix.target }} actual: ${{ steps.writer.outputs.result2 }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: "comment: URL for deploy: https://frontend-docs-259.website.dev" actual: ${{ fromJson(steps.writer.outputs.result).test }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: "comment: URL for deploy: https://frontend-docs-259.website.dev" actual: ${{ steps.writer.outputs.test }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: "comment: URL for deploy: ' https://frontend-docs-259.website.dev" actual: ${{ fromJson(steps.writer.outputs.result).test2 }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: "comment: URL for deploy: ' https://frontend-docs-259.website.dev" actual: ${{ steps.writer.outputs.test2 }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: | Application: application Dashboard: /dashboard actual: ${{ fromJson(steps.writer.outputs.result).test3 }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: | Application: application @@ -83,7 +88,12 @@ jobs: continue-on-error: true needs: [setup] steps: - - uses: actions/download-artifact@v8 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 - id: current run: |- @@ -98,12 +108,17 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: '2' actual: "${{ needs.test.outputs.result }}" - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'success' actual: "${{ needs.test.outputs.outcome }}" @@ -114,5 +129,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.github/workflows/test-validation.yml b/.github/workflows/test-validation.yml index 0702416..fadc1a1 100644 --- a/.github/workflows/test-validation.yml +++ b/.github/workflows/test-validation.yml @@ -7,6 +7,11 @@ jobs: setup: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Setup run: echo "Do setup" @@ -18,8 +23,13 @@ jobs: continue-on-error: true needs: [setup] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: ./ id: current @@ -30,12 +40,12 @@ jobs: result: ${{ matrix.target }} test: comment: URL for deploy: https://frontend-docs-259.website.dev - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: ${{ matrix.target }} actual: ${{ fromJson(steps.writer.outputs.result).result }} - - uses: nick-fields/assert-action@v4 + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: "comment: URL for deploy: https://frontend-docs-259.website.dev" actual: ${{ fromJson(steps.writer.outputs.result).test }} @@ -47,7 +57,12 @@ jobs: runs-on: ubuntu-latest needs: [test] steps: - - uses: nick-fields/assert-action@v4 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + + - uses: nick-fields/assert-action@0efd6166067d9c59d89c710fab4f79fb066f8985 # v4.0.1 with: expected: 'failure' actual: "${{ needs.test.outputs.result }}" @@ -58,5 +73,10 @@ jobs: needs: [assert] if: ${{ always() }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + with: + egress-policy: audit + - name: Tear down run: echo "Do Tear down" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..cba0860 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,10 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace