Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 [StepSecurity] Add Dependency Review Workflow #400

Merged
merged 1 commit into from
Apr 8, 2024
Merged

🌱 [StepSecurity] Add Dependency Review Workflow #400

merged 1 commit into from
Apr 8, 2024

Conversation

step-security-bot
Copy link
Contributor

Summary

This pull request is created by StepSecurity at the request of @zhujian7. Please merge the Pull Request to incorporate the requested changes. Please tag @zhujian7 on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

@step-security-bot
[StepSecurity] Apply security best practices
07319be 
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@openshift-ci openshift-ci bot requested review from deads2k and qiujian16 April 8, 2024 04:20
@zhujian7 zhujian7 changed the title [StepSecurity] Apply security best practices 🌱 [StepSecurity] Add Dependency Review Workflow Apr 8, 2024
@zhujian7 zhujian7 closed this Apr 8, 2024
@zhujian7 zhujian7 reopened this Apr 8, 2024
@zhujian7
Copy link
Member

zhujian7 commented Apr 8, 2024

/assign @qiujian16

@qiujian16
Copy link
Member

/approve
/lgtm

@openshift-ci openshift-ci bot added the lgtm label Apr 8, 2024
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Apr 8, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiujian16, step-security-bot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Apr 8, 2024
@openshift-merge-bot openshift-merge-bot bot merged commit bcbe4d2 into open-cluster-management-io:main Apr 8, 2024
22 of 24 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@qiujian16 qiujian16 Awaiting requested review from qiujian16

Assignees

@qiujian16 qiujian16

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@step-security-bot @zhujian7 @qiujian16