From 1f9b1fccbcb6602fef8a7d502a6b0d172dd5b92b Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Mon, 2 Dec 2024 11:06:20 -0500 Subject: [PATCH 1/5] feat/adding scoreBoard settings to repo --- .github/dependabot.yml | 13 +++++++ .github/workflows/codeql.yml | 42 ++++++++++++++++++++++ .github/workflows/dependency-review.yml | 20 +++++++++++ .github/workflows/scorecard.yml | 47 +++++++++++++++++++++++++ README.md | 2 ++ SECURITY.MD | 27 ++++++++++++++ 6 files changed, 151 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 SECURITY.MD diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..79eb8ca --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for npm + - package-ecosystem: npm + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..63a89f6 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: "0 0 * * *" + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + language: [typescript, javascript] + + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Initialize CodeQL + uses: github/codeql-action/init@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 + with: + category: "/language:${{ matrix.language }}" \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..d3507de --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..0a71e85 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/README.md b/README.md index b12f0db..a83a315 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/meme-token-launch/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/meme-token-launch) +[![CodeQL](https://github.com/rsksmart/rskj/workflows/CodeQL/badge.svg)](https://github.com/rsksmart/meme-token-launch/actions?query=workflow%3ACodeQL) RSK Logo # *(Meme) Token Launch* diff --git a/SECURITY.MD b/SECURITY.MD new file mode 100644 index 0000000..f3eb9d6 --- /dev/null +++ b/SECURITY.MD @@ -0,0 +1,27 @@ +# Reporting Security Issues + +The Rootstock team and community take security bugs in rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + + +## Responsible Disclosure + +For all security related issues, meme-token-launch has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/meme-token-launch/security/advisories/new) tab. + +The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/meme-token-launch/issues). + +## Vulnerability Handling + +### Response Time + +RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities: + +* Time to first response (from report submit) - 5 business days +* Time to triage (from report submit) - 7 business days + +We’ll try to keep you informed about our progress throughout the process. + +### Disclose Policy + +Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/). \ No newline at end of file From be09121e6853c488defc62a0fdb31904e30e6209 Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Mon, 2 Dec 2024 11:19:30 -0500 Subject: [PATCH 2/5] changing to typescript --- .github/workflows/codeql.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 63a89f6..a5f546e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - language: [typescript, javascript] + language: [typescript] steps: - name: Checkout From e23439792ffba087433814a39f0f630c5e74e670 Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Mon, 2 Dec 2024 11:33:35 -0500 Subject: [PATCH 3/5] feat adding tools all to test avoid error 'CodeQL analyses from advanced configurations cannot be processed when the default setup is enabled' --- .github/workflows/codeql.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a5f546e..1184901 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,6 +32,7 @@ jobs: with: languages: ${{ matrix.language }} queries: +security-and-quality + tools: all - name: Autobuild uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 From 6a31ef119b6d34ee19c2f87b3398b5e219d43a6f Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Mon, 2 Dec 2024 11:36:35 -0500 Subject: [PATCH 4/5] testing codeql setting --- .github/workflows/codeql.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1184901..7022edf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: strategy: fail-fast: false matrix: - language: [typescript] + language: [javascript] steps: - name: Checkout @@ -32,7 +32,6 @@ jobs: with: languages: ${{ matrix.language }} queries: +security-and-quality - tools: all - name: Autobuild uses: github/codeql-action/autobuild@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 From 486ad538c2d03fe9e6ff213061823528082028e8 Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Mon, 2 Dec 2024 11:45:49 -0500 Subject: [PATCH 5/5] testing codeql setting --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7022edf..485eb40 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -39,4 +39,5 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@f779452ac5af1c261dce0346a8f964149f49322b #v3.26.13 with: - category: "/language:${{ matrix.language }}" \ No newline at end of file + category: "/language:${{ matrix.language }}" + \ No newline at end of file