-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[StepSecurity] Apply security best practices #1010
base: main
Are you sure you want to change the base?
[StepSecurity] Apply security best practices #1010
Conversation
Signed-off-by: StepSecurity Bot <[email protected]>
Codecov ReportAll modified lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1010 +/- ##
=======================================
Coverage 96.44% 96.44%
=======================================
Files 28 28
Lines 2139 2139
=======================================
Hits 2063 2063
Misses 76 76 ☔ View full report in Codecov by Sentry. |
@@ -14,12 +14,12 @@ jobs: | |||
|
|||
steps: | |||
- name: Checkout code | |||
uses: actions/checkout@v4 | |||
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This imo is like pinning deps in package.json; not worth the trouble. We won’t get bugfixes and whatnot automatically by doing this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless this bot also sends PRs (or some other bot does). Seems very noisy, tho...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dependabot works with pinned actions too. We're extensively using it already on nodejs/core. See: nodejs/security-wg#1126
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It does indeed, but that makes it very noisy. I don’t think it’s worth it, especially from official Github actions.
Summary
This pull request is created by Secure Repo at the request of @RafaelGSS. Please merge the Pull Request to incorporate the requested changes. Please tag @RafaelGSS on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.
Refs: nodejs/security-wg#859
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Add OpenSSF Scorecard Workflow
OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.
Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.
Feedback
For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot [email protected]