Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Read GitHub Action' "security hardening" guide and act on it #10

Closed
paulo-ferraz-oliveira opened this issue Sep 17, 2023 · 3 comments
Closed

Read GitHub Action' "security hardening" guide and act on it #10

paulo-ferraz-oliveira opened this issue Sep 17, 2023 · 3 comments
Labels
security consideration

Comments

@paulo-ferraz-oliveira
Copy link
Collaborator

Is your feature request related to a problem?

Potential problems, yes...

Describe the feature you'd like

Give https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions a good read an act on it; otherwise create issues in this repo. to have actions to improve in the future.

Describe alternatives you've considered

None.

Additional context

Not available.
@paulo-ferraz-oliveira
Copy link
Collaborator Author

And also: https://cycode.com/blog/github-actions-vulnerabilities/

@paulo-ferraz-oliveira
Copy link
Collaborator Author

I'm starting to read now.

@paulo-ferraz-oliveira
Copy link
Collaborator Author

The stuff I looked at, from GitHub's guide...

  • no secrets
  • codeowners
    • not taken into account, for the moment
    • no security risk detected
  • script injections
    • no direct source of code injection (for our workflows) was identified
  • Settings > Code security and analysis
    • acted on
    • no security risk detected
  • third-party software
  • GitHub actions creation and approval of pull requests
    • this is in effect in our repository, for automation purposes
    • in any case the pull request is created in main so whatever causes it was already there
      before
    • we check the repository regularly for updates (especially since automation is involved) but
      there's still the possibility some slips through the cracks (even though it should be noticeable
      starting from GitHub notifications)
    • low security risk detected
  • compromised runner
    • while we can't control "the runner" everything else we can probably remove and mimic code
      in the action (individual Issues will be open for each of these)
    • we have no secrets stored, nor should we need these in the near future, since all we do is based
      on open source and publically available information
    • low security risk detected given the sources of risk

Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security consideration
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulo-ferraz-oliveira