From 1b355bcdedbd130770712b44e4e92d7f050b2543 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 25 Oct 2023 22:49:53 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 11 +++++++++++ .github/workflows/cmake-multi-platform.yml | 20 ++++++++++---------- .github/workflows/codeql.yml | 13 ++++++++----- .github/workflows/dependency-review.yml | 22 ++++++++++++++++++++++ .github/workflows/docker-publish.yml | 7 +++++-- .github/workflows/docker-scout-scan.yml | 13 ++++++++----- .github/workflows/msvc.yml | 10 +++++----- .github/workflows/python-publish.yml | 4 ++-- 8 files changed, 71 insertions(+), 29 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..4253e92b --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /PyOdbDesignServer + schedule: + interval: daily diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index a250cb7d..657361b6 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -49,14 +49,14 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # add problem matchers by compiler - name: Add Problem Matchers - uses: ammaraskar/msvc-problem-matcher@master + uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master if: matrix.os == 'windows-2022' - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@master + uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master if: matrix.os != 'windows-2022' - name: Install vcpkg Dependencies @@ -76,12 +76,12 @@ jobs: if: matrix.os != 'windows-2022' - name: Install Ninja - uses: seanmiddleditch/gha-setup-ninja@master + uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master if: matrix.os != 'windows-2022' # Export vcpkg Cache Variables - name : Export vcpkg Cache Variables - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); @@ -100,7 +100,7 @@ jobs: # os == windows-2022 # - name: Setup VC Tools - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@7315a94840631165970262a99c72cfb48a65d25d # v1.12.0 if: matrix.os == 'windows-2022' - name: Patch vcpkg @@ -174,7 +174,7 @@ jobs: Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe" -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force - name: Upload Artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: ${{ matrix.os }}-artifacts path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip @@ -192,11 +192,11 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # download the artifacts - name: "Download artifacts" - uses: "actions/download-artifact@v2" + uses: "actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1" with: path: ${{ github.workspace }}/artifacts @@ -217,7 +217,7 @@ jobs: # create a release - name: "Create GitHub Release" - uses: "actions/github-script@v6" + uses: "actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1" with: github-token: "${{ secrets.GITHUB_TOKEN }}" script: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 7995f0ff..d2521128 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,6 +21,9 @@ env: VCPKG_ROOT: ${{ github.workspace }}/vcpkg VCPKG_BINARY_SOURCES: 'clear;x-gha,readwrite' +permissions: + contents: read + jobs: analyze: name: CodeQL-Security-Scan @@ -40,11 +43,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: languages: ${{ matrix.language }} config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml @@ -55,11 +58,11 @@ jobs: "${{env.VCPKG_ROOT}}/bootstrap-vcpkg.sh" - name: Install Ninja - uses: seanmiddleditch/gha-setup-ninja@master + uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master # Export vcpkg Cache Variables - name : Export vcpkg Cache Variables - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); @@ -75,6 +78,6 @@ jobs: run: cmake --build --preset linux-release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..a5252162 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 957dc97d..56693fe4 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -18,6 +18,9 @@ env: IMAGE_NAME: ${{ github.repository }} #VCPKG_BINARY_SOURCES: 'clear;nuget,GitHub,readwrite' +permissions: + contents: read + jobs: build: name: Docker-Build-and-Publish @@ -32,11 +35,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # add problem matchers - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@master + uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index 2ffede42..223e0381 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -21,6 +21,9 @@ env: COMPARE_TAG: latest DOCKERFILE: Dockerfile_OdbDesignServer +permissions: + contents: read + jobs: build: name: Docker-Scout-Scan @@ -37,11 +40,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # add problem matchers - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@master + uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master # # Install the cosign tool except on PR # # https://github.com/sigstore/cosign-installer @@ -123,7 +126,7 @@ jobs: - name: Analyze for critical and high CVEs id: docker-scout-cves # if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/scout-action@v1 + uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} @@ -133,14 +136,14 @@ jobs: - name: Upload SARIF result id: upload-sarif - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: sarif_file: sarif.output.json - name: Docker Scout Compare to Latest id: docker-scout if: ${{ github.event_name == 'pull_request' }} - uses: docker/scout-action@v1 + uses: docker/scout-action@4e9ac4df44fb56797da111fce8185f7fbffd5a09 # v1.0.9 with: command: compare image: ${{ steps.meta.outputs.tags }} diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml index 7ed6f8fd..59902cd6 100644 --- a/.github/workflows/msvc.yml +++ b/.github/workflows/msvc.yml @@ -33,18 +33,18 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Export vcpkg Cache Variables - name : Export vcpkg Cache Variables - uses: actions/github-script@v6 + uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1 with: script: | core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || ''); core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || ''); - name: Setup VC Tools - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@7315a94840631165970262a99c72cfb48a65d25d # v1.12.0 - name: Patch vcpkg run: scripts/patch-vcpkg-install.ps1 @@ -73,13 +73,13 @@ jobs: # Upload SARIF file to GitHub Code Scanning Alerts - name: Upload SARIF to GitHub - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: sarif_file: ${{ steps.run-analysis.outputs.sarif }} # Upload SARIF file as an Artifact to download and view - name: Upload SARIF as an Artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: sarif-file path: ${{ steps.run-analysis.outputs.sarif }} diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 05604eb5..b5eca8bc 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -28,9 +28,9 @@ jobs: working-directory: PyOdbDesignLib steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Python - uses: actions/setup-python@v3 + uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4 with: python-version: '3.x' - name: Install dependencies