From 662e71aa297db223e9636688990fb214da581158 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 8 Apr 2024 22:16:36 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 5 ++ .github/workflows/bandit.yml | 10 ++- .github/workflows/codacy.yml | 9 ++- .github/workflows/codeql.yml | 78 ++++++++++++++++++++++ .github/workflows/defender-for-devops.yml | 13 ++-- .github/workflows/dependency-review.yml | 9 ++- .github/workflows/devskim.yml | 14 +++- .github/workflows/greetings.yml | 10 ++- .github/workflows/label.yml | 10 ++- .github/workflows/ossar.yml | 11 ++- .github/workflows/pylint.yml | 12 +++- .github/workflows/pyre.yml | 7 +- .github/workflows/pysa.yml | 7 +- .github/workflows/python-app.yml | 9 ++- .github/workflows/python-package-conda.yml | 12 +++- .github/workflows/python-publish.yml | 9 ++- .github/workflows/scorecard.yml | 5 ++ .github/workflows/semgrep.yml | 10 ++- .github/workflows/sobelow.yml | 7 +- .github/workflows/stale.yml | 10 ++- .github/workflows/super-linter.yml | 15 ++++- .pre-commit-config.yaml | 14 ++++ 22 files changed, 254 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a0446c4..128ea03 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,3 +12,8 @@ updates: allow: # Allow both direct and indirect updates for all packages - dependency-type: "all" + + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 76d8eed..b4607e4 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '27 9 * * 0' +permissions: + contents: read + jobs: bandit: permissions: @@ -29,7 +32,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Bandit Scan uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c with: # optional arguments diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index c87ccfb..a6308ed 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -35,8 +35,13 @@ jobs: runs-on: ubuntu-latest steps: # Checkout the repository to the GitHub Actions runner + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI @@ -56,6 +61,6 @@ jobs: # Upload the SARIF file generated in the previous step - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@ffd3158cb9024ebd018dbf20756f28befbd168c7 # v2.24.10 with: sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..ff37b6e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@ffd3158cb9024ebd018dbf20756f28befbd168c7 # v2.24.10 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@ffd3158cb9024ebd018dbf20756f28befbd168c7 # v2.24.10 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ffd3158cb9024ebd018dbf20756f28befbd168c7 # v2.24.10 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml index 7db956c..d6f5351 100644 --- a/.github/workflows/defender-for-devops.yml +++ b/.github/workflows/defender-for-devops.yml @@ -32,18 +32,23 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0 with: dotnet-version: | 5.0.x 6.0.x - name: Run Microsoft Security DevOps - uses: microsoft/security-devops-action@v1.6.0 + uses: microsoft/security-devops-action@e94440350ed10e2806d47cd0d7504a2c51abdbe9 # v1.6.0 id: msdo with: tools: bandit, binskim, templateanalyzer, terrascan, trivy - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b8eebfa..b238b02 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -27,10 +27,15 @@ jobs: dependency-review: runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: 'Checkout repository' - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5 # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. with: comment-summary-in-pr: always diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 578e7c4..9592c68 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -13,6 +13,9 @@ on: schedule: - cron: '32 2 * * 2' +permissions: + contents: read + jobs: lint: name: DevSkim @@ -22,13 +25,18 @@ jobs: contents: read security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Run DevSkim scanner - uses: microsoft/DevSkim-Action@v1 + uses: microsoft/DevSkim-Action@914fa647b406c387000300b2f09bb28691be2b6d # v1.0.14 - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: devskim-results.sarif diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index f61f5f7..357f1c0 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -2,6 +2,9 @@ name: Greetings on: [pull_request_target, issues] +permissions: + contents: read + jobs: greeting: runs-on: ubuntu-latest @@ -9,7 +12,12 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/first-interaction@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/first-interaction@3c71ce730280171fd1cfb57c00c774f8998586f7 # v1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} issue-message: "Thanks for opening an Issue request, I'll check it out shortly." diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index 4613569..e7b5a2f 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -8,6 +8,9 @@ name: Labeler on: [pull_request_target] +permissions: + contents: read + jobs: label: @@ -17,6 +20,11 @@ jobs: pull-requests: write steps: - - uses: actions/labeler@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index d8c398b..3189195 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -31,8 +31,13 @@ jobs: runs-on: windows-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. @@ -46,11 +51,11 @@ jobs: # Run open source static analysis tools - name: Run OSSAR - uses: github/ossar-action@v1 + uses: github/ossar-action@786a16a90ba92b4ae6228fe7382fb16ef5c51000 # v1 id: ossar # Upload results to the Security tab - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml index cc30618..be698bc 100644 --- a/.github/workflows/pylint.yml +++ b/.github/workflows/pylint.yml @@ -2,6 +2,9 @@ name: Pylint on: [push] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -9,9 +12,14 @@ jobs: matrix: python-version: ["3.11.8"] steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{ matrix.python-version }} - name: Install dependencies diff --git a/.github/workflows/pyre.yml b/.github/workflows/pyre.yml index 697cb14..1b763da 100644 --- a/.github/workflows/pyre.yml +++ b/.github/workflows/pyre.yml @@ -34,7 +34,12 @@ jobs: security-events: write runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true - name: Run Pyre diff --git a/.github/workflows/pysa.yml b/.github/workflows/pysa.yml index 10a20a5..adac6cc 100644 --- a/.github/workflows/pysa.yml +++ b/.github/workflows/pysa.yml @@ -35,7 +35,12 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true python-version: '3.11.8' diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index ac6a2be..e07f5c2 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -18,9 +18,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python 3.11.8 - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.11.8" - name: Install dependencies diff --git a/.github/workflows/python-package-conda.yml b/.github/workflows/python-package-conda.yml index fa1fddb..619a39a 100644 --- a/.github/workflows/python-package-conda.yml +++ b/.github/workflows/python-package-conda.yml @@ -2,6 +2,9 @@ name: Python Package using Conda on: [push] +permissions: + contents: read + jobs: build-linux: runs-on: ubuntu-latest @@ -9,9 +12,14 @@ jobs: max-parallel: 5 steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python 3.11 - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: '3.11' - name: Add conda to system path diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 964c8b2..a3c270a 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -26,9 +26,14 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Python - uses: actions/setup-python@v4 + uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 with: python-version: '3.11' - name: Install dependencies diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 49ad126..15760ef 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 62c75aa..0b37d33 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -11,6 +11,9 @@ on: # random HH:MM to avoid a load spike on GitHub Actions at 00:00 - cron: 49 5 * * * name: Semgrep +permissions: + contents: read + jobs: semgrep: name: semgrep/ci @@ -20,5 +23,10 @@ jobs: container: image: returntocorp/semgrep steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - run: semgrep ci diff --git a/.github/workflows/sobelow.yml b/.github/workflows/sobelow.yml index 9c588eb..1f4a81d 100644 --- a/.github/workflows/sobelow.yml +++ b/.github/workflows/sobelow.yml @@ -32,6 +32,11 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: run-action uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 478ff9c..2b7f93d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '43 6 * * *' +permissions: + contents: read + jobs: stale: @@ -18,7 +21,12 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v5 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/stale@f7176fd3007623b69d27091f9b9d4ab7995f0a06 # v5.2.1 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Stale issue message' diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml index e5dc7f6..1206a78 100644 --- a/.github/workflows/super-linter.yml +++ b/.github/workflows/super-linter.yml @@ -12,18 +12,29 @@ on: branches: [ "main" ] pull_request: branches: [ "main" ] +permissions: + contents: read + jobs: run-lint: + permissions: + contents: read # for actions/checkout to fetch code + statuses: write # for github/super-linter to mark status of each linter run runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Lint Code Base - uses: github/super-linter@v4 + uses: github/super-linter@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0 env: VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: "main" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..b09832e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint