[StepSecurity] Apply security best practices (#76)

## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @nam20485. Please merge the Pull Request to incorporate the requested changes. Please tag @nam20485 on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ### Pinned Dependencies GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ### Keeping your actions up to date with Dependabot With Dependabot version updates, when Dependabot identifies an outdated dependency, it raises a pull request to update the manifest to the latest version of the dependency. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF). - [GitHub Security Guide](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/keeping-your-actions-up-to-date-with-dependabot) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dependency-update-tool) ### Add Dependency Review Workflow The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository. - [Github Guide about Dependency Review](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review) - [Github Guide for Configuring Dependency Review Action](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/configuring-dependency-review#using-inline-configuration-to-set-up-the-dependency-review-action) ## Feedback For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <[email protected]>
nam20485 · Oct 25, 2023 · abff842 · abff842
2 parents 5efd3bf + 1b355bc
commit abff842
Show file tree

Hide file tree

Showing 8 changed files with 71 additions and 29 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /PyOdbDesignServer
+    schedule:
+      interval: daily
diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
@@ -49,14 +49,14 @@ jobs:
     steps:   
 
     - name: Checkout Repository
-      uses: actions/checkout@v3 
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 
 
     # add problem matchers by compiler
     - name: Add Problem Matchers
-      uses: ammaraskar/msvc-problem-matcher@master
+      uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master
       if: matrix.os == 'windows-2022'
     - name: Add Problem Matchers
-      uses: ammaraskar/gcc-problem-matcher@master
+      uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
       if: matrix.os != 'windows-2022'
 
     - name: Install vcpkg Dependencies
@@ -76,12 +76,12 @@ jobs:
       if: matrix.os != 'windows-2022'
 
     - name: Install Ninja    
-      uses: seanmiddleditch/gha-setup-ninja@master
+      uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master
       if: matrix.os != 'windows-2022'
 
     # Export vcpkg Cache Variables
     - name : Export vcpkg Cache Variables
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       with:
         script: |
           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
@@ -100,7 +100,7 @@ jobs:
     #   os == windows-2022
     #
     - name: Setup VC Tools
-      uses: ilammy/msvc-dev-cmd@v1
+      uses: ilammy/msvc-dev-cmd@7315a94840631165970262a99c72cfb48a65d25d # v1.12.0
       if: matrix.os == 'windows-2022'
 
     - name: Patch vcpkg
@@ -174,7 +174,7 @@ jobs:
         Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe"  -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force
 
     - name: Upload Artifacts
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
       with:
         name: ${{ matrix.os }}-artifacts
         path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip
@@ -192,11 +192,11 @@ jobs:
     steps:
 
       - name: Checkout Repository
-        uses: actions/checkout@v3 
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 
 
       # download the artifacts
       - name: "Download artifacts"
-        uses: "actions/download-artifact@v2"
+        uses: "actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1"
         with:
           path: ${{ github.workspace }}/artifacts
 
@@ -217,7 +217,7 @@ jobs:
 
       # create a release
       - name: "Create GitHub Release"
-        uses: "actions/github-script@v6"
+        uses: "actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1"
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -21,6 +21,9 @@ env:
   VCPKG_ROOT: ${{ github.workspace }}/vcpkg
   VCPKG_BINARY_SOURCES: 'clear;x-gha,readwrite'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: CodeQL-Security-Scan
@@ -40,11 +43,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
       with:        
         languages: ${{ matrix.language }}
         config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml        
@@ -55,11 +58,11 @@ jobs:
         "${{env.VCPKG_ROOT}}/bootstrap-vcpkg.sh"            
       
     - name: Install Ninja    
-      uses: seanmiddleditch/gha-setup-ninja@master
+      uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master
 
     # Export vcpkg Cache Variables
     - name : Export vcpkg Cache Variables
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       with:
         script: |
           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
@@ -75,6 +78,6 @@ jobs:
       run: cmake --build --preset linux-release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -18,6 +18,9 @@ env:
   IMAGE_NAME: ${{ github.repository }}
   #VCPKG_BINARY_SOURCES: 'clear;nuget,GitHub,readwrite'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Docker-Build-and-Publish
@@ -32,11 +35,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       # add problem matchers
       - name: Add Problem Matchers
-        uses: ammaraskar/gcc-problem-matcher@master
+        uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer

diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
@@ -21,6 +21,9 @@ env:
   COMPARE_TAG: latest
   DOCKERFILE: Dockerfile_OdbDesignServer
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Docker-Scout-Scan
@@ -37,11 +40,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       # add problem matchers
       - name: Add Problem Matchers
-        uses: ammaraskar/gcc-problem-matcher@master
+        uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
 
     #   # Install the cosign tool except on PR
     #   # https://github.com/sigstore/cosign-installer
@@ -123,7 +126,7 @@ jobs:
       - name: Analyze for critical and high CVEs
         id: docker-scout-cves       
         # if: ${{ github.event_name != 'pull_request_target' }} 
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}
@@ -133,14 +136,14 @@ jobs:
 
       - name: Upload SARIF result
         id: upload-sarif
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
         with:
           sarif_file: sarif.output.json
 
       - name: Docker Scout Compare to Latest
         id: docker-scout
         if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/scout-action@v1
+        uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9
         with:
           command: compare
           image: ${{ steps.meta.outputs.tags }}

diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
@@ -33,18 +33,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
        # Export vcpkg Cache Variables
       - name : Export vcpkg Cache Variables
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
             core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
       
       - name: Setup VC Tools
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@7315a94840631165970262a99c72cfb48a65d25d # v1.12.0
 
       - name: Patch vcpkg
         run: scripts/patch-vcpkg-install.ps1
@@ -73,13 +73,13 @@ jobs:
 
       # Upload SARIF file to GitHub Code Scanning Alerts
       - name: Upload SARIF to GitHub
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
         with:
           sarif_file: ${{ steps.run-analysis.outputs.sarif }}
 
       # Upload SARIF file as an Artifact to download and view
       - name: Upload SARIF as an Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: sarif-file
           path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -28,9 +28,9 @@ jobs:
         working-directory: PyOdbDesignLib
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
       with:
         python-version: '3.x'
     - name: Install dependencies