[StepSecurity] Apply security best practices #3276
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
| @@ -43,7 +43,7 @@ jobs: | |||
| container: | |||
| image: ghcr.io/sparklemotion/nokogiri-test:${{matrix.image}} | |||
| steps: | |||
| - uses: actions/checkout@v1 # v1 because of https://github.com/actions/checkout/issues/334 | |||
There was a problem hiding this comment.
This should use v4 (or really 692973e3d937129bcbf40652eb9f2f61becf3332).
There was a problem hiding this comment.
Can't use v4 because of the issue linked in the comment.
There was a problem hiding this comment.
Got it. I briefly checked the issue and it was reported for v2 and there were comments saying it had been fixed, but that seems not to be the case. Odd that it would be broken for so long.
There was a problem hiding this comment.
I haven't tried it in a few years, maybe it would work if we bumped it. But I got the distinct impression that Github only really cares if the actions runs on their official runners, and won't fully support running in arbitrary containers. Which, TBH, is a completely defensible position to take.
| @@ -156,7 +156,7 @@ jobs: | |||
| container: | |||
| image: ghcr.io/sparklemotion/nokogiri-test:alpine | |||
| steps: | |||
| - uses: actions/checkout@v1 # v1 because of https://github.com/actions/checkout/issues/334 | |||
| - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0 | |||
There was a problem hiding this comment.
Does this still need to be v1?
| egress-policy: audit | ||
|
|
||
| - name: "Checkout code" | ||
| uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 |
There was a problem hiding this comment.
This is old. It should also be v4.
| persist-credentials: false | ||
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 |
There was a problem hiding this comment.
This is old and will fail with the error
2024/07/03 20:44:46 error signing scorecard json results: error signing payload: getting key from Fulcio: verifying SCT: updating local metadata and targets: error updating to TUF remote mirror: invalid key
See ossf/scorecard-action#997 for details.
I have misgivings about a security tool like StepSecurity when it is producing such obviously broken output.
There was a problem hiding this comment.
I don't want to merge this, this was a bit of an experiment. Sorry for not providing that context earlier.
There was a problem hiding this comment.
Ah. No worries. It seemed pretty interesting. I filed a bug report (via email) about the outdated pinned action versions so hopefully they'll fix those soon.
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 |
There was a problem hiding this comment.
This should be v4.3.3
|
|
||
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@d958b976dc5b990f802df244f2dc5d807113327f # v2.25.11 |
**What problem is this PR intended to solve?** See thread at #3276 (comment) Let's roll the dice! cc @stevecheckoway
Summary
This pull request is created by StepSecurity at the request of @flavorjones. Please merge the Pull Request to incorporate the requested changes. Please tag @flavorjones on your message if you have any questions related to the PR.
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Add OpenSSF Scorecard Workflow
OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.
Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.
Feedback
For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io