CI: [StepSecurity] Apply security best practices to github actions (#…

…3031) * [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * fix: Disable dependabot scans on /test * ci: Add comment explaining why scans are disabled. --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Terri Oda <terri.oda@intel.com>
intel · May 24, 2023 · c89934b · c89934b
1 parent b2040f8
commit c89934b
Show file tree

Hide file tree

Showing 16 changed files with 211 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,3 +7,41 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: pip
+    directory: /doc
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+
+# Scanning is disabled for files in /test/ to avoid false positives.
+# These files are used for testing; vulnerable code is never installed or used.
+
+  - package-ecosystem: cargo
+    directory: /test/language_data
+    schedule:
+      interval: never
+
+  - package-ecosystem: bundler
+    directory: /test/language_data
+    schedule:
+      interval: never
+
+  - package-ecosystem: gomod
+    directory: /test/language_data
+    schedule:
+      interval: never
+
+  - package-ecosystem: pip
+    directory: /test/language_data
+    schedule:
+      interval: never
+
+  - package-ecosystem: maven
+    directory: /test/language_data
+    schedule:
+      interval: never
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '38 0 * * 4'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -38,6 +41,11 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v3
 

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
@@ -10,6 +10,11 @@ jobs:
   coverity:
     runs-on: ubuntu-22.04
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@v3
     - uses: vapier/coverity-scan-action@v1
       with:

diff --git a/.github/workflows/cve_scan.yml b/.github/workflows/cve_scan.yml
@@ -5,12 +5,20 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cve_scan:
     name: CVE scan on dependencies
     runs-on: ubuntu-22.04
     timeout-minutes: 10
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/export_data.yml b/.github/workflows/export_data.yml
@@ -14,11 +14,22 @@ env:
   NO_EXIT_CVE_NUM: 1
   nvd_api_key: ${{ secrets.NVD_API_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-22.04
 
     steps: 
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       - uses: actions/setup-python@v4

diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml
@@ -7,11 +7,22 @@ on:
     paths:
       - 'cve_bin_tool/checkers/__init__.py'
 
+permissions:
+  contents: read
+
 jobs:
   formatting:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update checkers table
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -5,6 +5,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   linting:
     name: Linting
@@ -14,6 +17,11 @@ jobs:
       matrix:
         tool: ['isort', 'black', 'pyupgrade', 'flake8', 'bandit', 'gitlint', 'mypy']
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -6,14 +6,25 @@ on:
     # Runs at 02:00 UTC every Monday
     - cron: '2 0 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   sbom_gen:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Generate SBOM
     runs-on: ubuntu-22.04
     strategy:
       matrix:
         python: ['3.7', '3.8', '3.9', '3.10', '3.11']
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -21,6 +21,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:

diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
@@ -1,6 +1,9 @@
 name: Spell checking
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   spelling:
     name: Spell checking
@@ -10,6 +13,11 @@ jobs:
       actions: read
     runs-on: ubuntu-22.04
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@v3
     - uses: check-spelling/check-spelling@v0.0.21
       with:

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -25,6 +25,11 @@ jobs:
     name: Documentation
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -50,6 +55,11 @@ jobs:
         python: ['3.7', '3.8', '3.9', '3.11']
     timeout-minutes: 30
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -115,6 +125,11 @@ jobs:
     env:
       LONG_TESTS: 1
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -207,6 +222,11 @@ jobs:
     env:
       EXTERNAL_SYSTEM: 1
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -297,6 +317,11 @@ jobs:
       NO_EXIT_CVE_NUM: 1
       PYTHONIOENCODING: 'utf8'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:
@@ -362,6 +387,11 @@ jobs:
       NO_EXIT_CVE_NUM: 1
       PYTHONIOENCODING: 'utf8'
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/update-cache.yml b/.github/workflows/update-cache.yml
@@ -11,13 +11,21 @@ env:
   NO_EXIT_CVE_NUM: 1
   nvd_api_key: ${{ secrets.NVD_API_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     if: github.repository == 'intel/cve-bin-tool'
     name: Update linux cached database
     runs-on: ubuntu-20.04
     timeout-minutes: 20
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: actions/setup-python@v4
         with:

diff --git a/.github/workflows/update-js-dependencies.yml b/.github/workflows/update-js-dependencies.yml
@@ -10,11 +10,22 @@ on:
   # Allows you to run this workflow manually
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       - uses: actions/setup-python@v4

diff --git a/.github/workflows/update-pre-commit.yml b/.github/workflows/update-pre-commit.yml
@@ -10,11 +10,22 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
 
       - uses: actions/setup-python@v4