[StepSecurity] ci: Harden GitHub Actions (#2)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
northwood-labs · Mar 26, 2024 · 61dd6f9 · 61dd6f9
1 parent 043a0a5
commit 61dd6f9
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -27,13 +27,18 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:
           ref: main
 
       - name: Render terraform docs and push changes back to PR
-        uses: terraform-docs/gh-actions@v1
+        uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0
         with:
           git-commit-message: "docs: Generate documentation in README.md"
           git-push-sign-off: "true"

diff --git a/.github/workflows/markdownlint.yml b/.github/workflows/markdownlint.yml
@@ -27,6 +27,11 @@ jobs:
     permissions:
       contents: write
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Source
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
         with:

diff --git a/.github/workflows/trivy-vuln.yml b/.github/workflows/trivy-vuln.yml
@@ -48,7 +48,7 @@ jobs:
           persist-credentials: false
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
         with:
           scan-type: fs
           format: sarif