[StepSecurity] Apply security best practices (#39)

stepsecurity-app[bot] · web-flow · commit 287acd53c416 · 2025-11-06T09:02:11.000+05:30
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/build-docker.yaml b/.github/workflows/build-docker.yaml
@@ -42,6 +42,11 @@ jobs:
       amd64_tags: ${{ steps.amd64_meta.outputs.tags }}
       amd64_labels: ${{ steps.amd64_meta.outputs.labels }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: docker meta
         id: meta
         uses: docker/metadata-action@v5
@@ -68,6 +73,11 @@ jobs:
   download-artifacts:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Download npm release package
         uses: actions/download-artifact@v4
         with:
@@ -116,6 +126,11 @@ jobs:
             arch: amd64
     runs-on: ${{ matrix.build-config.os }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: checkout
         uses: actions/checkout@v4
         with:
@@ -159,6 +174,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, metadata]
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: setup buildx
         uses: docker/setup-buildx-action@v3
       - name: docker login
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -31,6 +31,11 @@ jobs:
       docs: ${{ steps.filter.outputs.docs }}
       helm: ${{ steps.filter.outputs.helm }}
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@v4
       - name: Check changed files
@@ -64,6 +69,11 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 5
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
@@ -82,6 +92,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.docs == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
@@ -100,6 +115,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.helm == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: azure/setup-helm@v4
         with:
@@ -114,6 +134,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
@@ -131,6 +156,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.ci == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@v4
       - name: Check workflow files
@@ -146,6 +176,11 @@ jobs:
     needs: changes
     if: needs.changes.outputs.code == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
@@ -169,6 +204,11 @@ jobs:
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       DISABLE_V8_COMPILE_CACHE: 1
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
         with:
           submodules: true
@@ -231,6 +271,11 @@ jobs:
     needs: [changes, build]
     if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: sudo apt update && sudo apt install -y libkrb5-dev
       - uses: actions/setup-node@v4
@@ -265,6 +310,11 @@ jobs:
     needs: [changes, build]
     if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true'
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - run: sudo apt update && sudo apt install -y libkrb5-dev
       - uses: actions/setup-node@v4
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -24,6 +24,11 @@ jobs:
   npm:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code-server
         uses: actions/checkout@v4
 
@@ -60,6 +65,11 @@ jobs:
       # Ensure things are up to date
       # Suggested by homebrew maintainers
       # https://github.com/Homebrew/discussions/discussions/1532#discussioncomment-782633
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Set up Homebrew
         id: set-up-homebrew
         uses: Homebrew/actions/setup-homebrew@master
@@ -93,6 +103,11 @@ jobs:
 
     steps:
       # We need to checkout code-server so we can get the version
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code-server
         uses: actions/checkout@v4
         with:
@@ -147,6 +162,11 @@ jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code-server
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -24,6 +24,11 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -45,6 +50,11 @@ jobs:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repo
         uses: actions/checkout@v4
         with:
@@ -75,6 +85,11 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4
 
diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
@@ -47,6 +47,11 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v4
 
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Base image
-FROM ubuntu:22.04
+FROM ubuntu:22.04@sha256:09506232a8004baa32c47d68f1e5c307d648fdd59f5e7eaa42aaf87914100db3
 
 # Set build arguments for version and architecture
 ARG VERSION=v0.4.0
