Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address token and security policy OpenSSF findings #554

Merged
merged 1 commit into from
Oct 31, 2024
Merged

Address token and security policy OpenSSF findings #554

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ on:
workflow_dispatch:

permissions:
id-token: write
contents: write
contents: read

env:
VERSION_FILE: pkg/version/version.go
Expand All @@ -14,6 +13,9 @@ jobs:
tag:
if: ${{ github.repository }} == 'chainguard-dev/malcontent'
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/style.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@

name: Code Style

permissions:
contents: read

on:
pull_request:
branches:
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/version.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,7 @@ on:
default: 'minor'

permissions:
contents: write
id-token: write
pull-requests: write
contents: read

env:
VERSION_FILE: pkg/version/version.go
Expand All @@ -20,6 +18,10 @@ jobs:
version:
if: ${{ github.repository }} == 'chainguard-dev/malcontent'
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
pull-requests: write
steps:
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
Expand Down
19 changes: 19 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# `malcontent` Security Policy

## Reporting Security Issues

Security issues or vulnerabilities can be reported in one of two ways:
- By emailing `security@chainguard.dev`
- By reporting a finding privately via https://github.com/chainguard-dev/malcontent/security/advisories/new

## Addressing Security Issues

Security issues or vulnerabilities can also be addressed directly via a PR -- contributions are always welcome.

More on contributing can be found in [DEVELOPMENT.md](DEVELOPMENT.md).

## Addressing Rule Coverage Gaps

While `malcontent` aims to err on the "paranoid" side of scanning, certain behaviors, including malicious behaviors, may not be covered by the existing YARA Rules.

If this is the case, please open an issue: https://github.com/chainguard-dev/malcontent/issues or feel free to contribute changes or additions.