Update permissions and dependencies in test-fs-action-sarif.yaml and test-fs-action.yaml

.github/workflows/test-fs-action-sarif.yaml

@@ -3,31 +3,34 @@ name: Test Orca FS action - Sarif
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   fs_scan_job:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Scan FS
         id: orcasecurity_fs_scan
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          path:
-            "test"
-          format:
-            "sarif"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          path: "test"
+          format: "sarif"
+          output: "results/"
           console_output: "table"
-
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # ratchet:github/codeql-action/upload-sarif@v2
         if: ${{ always() && steps.orcasecurity_fs_scan.outputs.exit_code != 1 }}
         with:
-          sarif_file: results/file_system.sarif
+          sarif_file: results/file_system.sarif
+
+
+
+
+

.github/workflows/test-fs-action.yaml

@@ -3,27 +3,30 @@ name: Test Orca FS action
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   fs_scan_job:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Scan FS
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          path:
-            "test"
-          format:
-            "json"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          path: "test"
+          format: "json"
+          output: "results/"
           console_output: "table"
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # ratchet:actions/upload-artifact@v3
         if: always()
         with:
           name: orca-results
           path: results/
+
+
+
+
+

SECURITY.md

@@ -0,0 +1,20 @@
+
+## Reporting a Vulnerability
+
+At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately.
+
+To report a security issue, please email us at address `[email protected]`
+
+---
+**Important:**
+
+   1. Please **do not** create a Github issue for security vulnerabilities.
+   2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure.
+   3. Please include the following details in your report:
+         - Description of the vulnerability
+         - Steps to reproduce the vulnerability
+         - Any additional information or context that might be helpful
+
+---
+
+> Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.