From a6ca77cb042e78cc9285eac3ddb5bdcdcddbfdd4 Mon Sep 17 00:00:00 2001 From: Step Security Date: Mon, 15 Aug 2022 22:53:09 +0000 Subject: [PATCH 1/7] [StepSecurity] Remediate token permission, and unpinned dependencies security issues in .github/workflows/canary.yml --- .github/workflows/canary.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 2e2ac9f..44b8dea 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -12,6 +12,9 @@ defaults: run: shell: pwsh +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: update_tag: name: Update the rc tag to ${{ github.event.inputs.COMMIT_SHA }} commit @@ -33,7 +36,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest env: PAT: ${{ secrets.PAT }} canary: true From cfea24e28f15ab57d9ce29404ef856d376b8afb9 Mon Sep 17 00:00:00 2001 From: Step Security Date: Mon, 15 Aug 2022 22:53:10 +0000 Subject: [PATCH 2/7] [StepSecurity] Remediate token permission, missing harden runner, and unpinned dependencies security issues in .github/workflows/codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6ea6456..c6c9640 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '17 0 * * 2' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: analyze: name: Analyze @@ -37,12 +40,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -53,7 +61,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -67,4 +75,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@bec8c2936a0da74f16c19cedb1e9efb2b53a7e7b From f5669ff9f5327be680b49914e4fa38b69a8de88b Mon Sep 17 00:00:00 2001 From: Step Security Date: Mon, 15 Aug 2022 22:53:11 +0000 Subject: [PATCH 3/7] [StepSecurity] Remediate missing harden runner security issue in .github/workflows/recurring-int-tests.yml --- .github/workflows/recurring-int-tests.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml index c268cc9..b4ea589 100644 --- a/.github/workflows/recurring-int-tests.yml +++ b/.github/workflows/recurring-int-tests.yml @@ -12,8 +12,13 @@ jobs: name: int tests runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest env: PAT: ${{ secrets.PAT }} canary: true From a7fde9d1ba26574fe1a067b15ebf0714de085946 Mon Sep 17 00:00:00 2001 From: Step Security Date: Mon, 15 Aug 2022 22:53:12 +0000 Subject: [PATCH 4/7] [StepSecurity] Remediate token permission, and unpinned dependencies security issues in .github/workflows/release.yml --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6d445f..069d2af 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,6 +12,9 @@ defaults: run: shell: pwsh +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: update_tag: name: Update the major tag to include the ${{ github.event.inputs.TAG_NAME || github.event.release.tag_name }} changes @@ -28,7 +31,7 @@ jobs: api.github.com:443 github.com:443 - - uses: actions/checkout@v2 + - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf - name: Update the rc tag uses: step-security/publish-action@b438f840875fdcb7d1de4fc3d1d30e86cf6acb5d with: @@ -36,7 +39,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int:latest + uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest env: PAT: ${{ secrets.PAT }} canary: true From ba56fe691f56f6d6f2cbee21b8d57b85e3e3db6c Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 15 Aug 2022 15:55:40 -0700 Subject: [PATCH 5/7] Update canary.yml --- .github/workflows/canary.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index 44b8dea..de983a1 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -36,7 +36,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest + uses: docker://ghcr.io/step-security/integration-test/int:latest env: PAT: ${{ secrets.PAT }} canary: true From 0f1dfc730b9fdf3ef13515596d3f0df8d4b78db9 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 15 Aug 2022 15:56:10 -0700 Subject: [PATCH 6/7] Update recurring-int-tests.yml --- .github/workflows/recurring-int-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/recurring-int-tests.yml b/.github/workflows/recurring-int-tests.yml index b4ea589..4a5e07c 100644 --- a/.github/workflows/recurring-int-tests.yml +++ b/.github/workflows/recurring-int-tests.yml @@ -18,7 +18,7 @@ jobs: egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest + uses: docker://ghcr.io/step-security/integration-test/int:latest env: PAT: ${{ secrets.PAT }} canary: true From 5d89b388bbeef8625cba5d94a5e03d8521a006b0 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 15 Aug 2022 15:56:45 -0700 Subject: [PATCH 7/7] Update release.yml --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 069d2af..08f5e2e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,7 +39,7 @@ jobs: rc: true - name: Canary test - uses: docker://ghcr.io/step-security/integration-test/int@sha256:a0e71f0f02a1298be8e34914f4d28df8e43275e63921faa4ee629822b376bd02 # latest + uses: docker://ghcr.io/step-security/integration-test/int:latest env: PAT: ${{ secrets.PAT }} canary: true