From 384ce5261d92aeed44828c5dbd1deb7f41d502c0 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 27 Apr 2023 10:51:42 -0700 Subject: [PATCH] ci: [StepSecurity] Apply security best practices (#870) Signed-off-by: StepSecurity Bot Co-authored-by: Anish Ramasekar --- .github/dependabot.yml | 141 ++++++++++++++++++ .github/workflows/azwi-build.yaml | 12 +- .github/workflows/azwi-e2e.yaml | 20 ++- .github/workflows/chart.yaml | 9 +- .github/workflows/codecov.yaml | 9 +- .github/workflows/codeql.yaml | 5 + .../create-release-pull-request.yaml | 11 +- .github/workflows/create-release.yaml | 11 +- .github/workflows/dependency-review.yml | 27 ++++ .github/workflows/markdown-link-check.yaml | 9 +- .github/workflows/publish-images.yaml | 21 ++- .github/workflows/scorecards.yml | 76 ++++++++++ .github/workflows/website.yaml | 9 +- 13 files changed, 336 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e77a3646d..b63f7b803 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -34,3 +34,144 @@ updates: update-types: - "version-update:semver-major" - "version-update:semver-minor" + + + - package-ecosystem: docker + directory: /examples/azure-identity/dotnet + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: nuget + directory: /examples/azure-identity/dotnet + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/azure-identity/go + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: gomod + directory: /examples/azure-identity/go + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/azure-identity/java + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/azure-identity/node + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: npm + directory: /examples/azure-identity/node + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/azure-identity/python + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: pip + directory: /examples/azure-identity/python + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/msal-go + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: gomod + directory: /examples/msal-go + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/msal-java + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/msal-net/akvdotnet + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: nuget + directory: /examples/msal-net/akvdotnet + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/msal-node + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: npm + directory: /examples/msal-node + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: docker + directory: /examples/msal-python + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: pip + directory: /examples/msal-python + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: maven + directory: /examples/azure-identity/java + schedule: + interval: daily + commit-message: + prefix: "chore" + + - package-ecosystem: maven + directory: /examples/msal-java + schedule: + interval: daily + commit-message: + prefix: "chore" diff --git a/.github/workflows/azwi-build.yaml b/.github/workflows/azwi-build.yaml index 69e60f0b5..891f0082c 100644 --- a/.github/workflows/azwi-build.yaml +++ b/.github/workflows/azwi-build.yaml @@ -12,6 +12,9 @@ on: - docs/** - README.md +permissions: + contents: read + jobs: azwi_build: strategy: @@ -21,11 +24,16 @@ jobs: env: [ubuntu-20.04, macos-11] runs-on: ${{ matrix.env }} steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - name: Build azwi diff --git a/.github/workflows/azwi-e2e.yaml b/.github/workflows/azwi-e2e.yaml index fda9b52c9..641ead81e 100644 --- a/.github/workflows/azwi-e2e.yaml +++ b/.github/workflows/azwi-e2e.yaml @@ -26,11 +26,16 @@ jobs: env: [ubuntu-20.04] runs-on: ${{ matrix.env }} steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - name: Azure CLI @@ -51,7 +56,7 @@ jobs: make kind-create - name: Build azwi run: make bin/azwi - - uses: azure/login@v1.4.6 + - uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.6 with: client-id: ${{ env.AZURE_CLIENT_ID }} tenant-id: ${{ env.AZURE_TENANT_ID }} @@ -99,11 +104,16 @@ jobs: env: [ubuntu-20.04, macos-11] runs-on: ${{ matrix.env }} steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: fetch-depth: 0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - name: Build azwi diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml index 3305aacbe..862a3d8b0 100644 --- a/.github/workflows/chart.yaml +++ b/.github/workflows/chart.yaml @@ -15,12 +15,17 @@ jobs: deploy: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 - name: Publish Helm chart - uses: stefanprodan/helm-gh-pages@v1.7.0 + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: token: ${{ secrets.GITHUB_TOKEN }} charts_dir: charts diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml index 02ee229c3..92fb13895 100644 --- a/.github/workflows/codecov.yaml +++ b/.github/workflows/codecov.yaml @@ -13,8 +13,13 @@ jobs: codecov: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v4 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "^1.20" - name: Run tests diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index f47a47b63..83cfd2f21 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -20,6 +20,11 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b diff --git a/.github/workflows/create-release-pull-request.yaml b/.github/workflows/create-release-pull-request.yaml index ba33ac33c..782658cff 100644 --- a/.github/workflows/create-release-pull-request.yaml +++ b/.github/workflows/create-release-pull-request.yaml @@ -18,16 +18,21 @@ jobs: create-release-pull-request: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - name: validate version run: | echo "${{ github.event.inputs.release_version }}" | grep -E 'v[0-9]+\.[0-9]+\.[0-9]+(-alpha\.[0-9]+|-beta\.[0-9]+|-rc\.[0-9]+)?$' echo "${{ github.event.inputs.based_on_branch }}" | grep -E '^(main|release-[0-9]+\.[0-9]+)$' - - uses: actions/checkout@v3 + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 ref: "${{ github.event.inputs.based_on_branch }}" - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - run: make release-manifest @@ -35,7 +40,7 @@ jobs: NEW_VERSION: "${{ github.event.inputs.release_version }}" - run: make promote-staging-manifest - name: Create release pull request - uses: peter-evans/create-pull-request@v5 + uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 # v5.0.0 with: commit-message: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}" title: "release: update manifest and helm charts for ${{ github.event.inputs.release_version }}" diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index 0ff13799f..3642c1583 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -15,11 +15,16 @@ jobs: if: github.event.pull_request.merged == true && contains(github.event.pull_request.title, 'update manifest and helm charts') runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 - - uses: actions/setup-go@v4 + - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0 with: go-version: "1.20" - id: get-tag @@ -29,7 +34,7 @@ jobs: run: | git tag ${{ steps.get-tag.outputs.tag }} - name: Goreleaser - uses: goreleaser/goreleaser-action@v4 + uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0 with: version: latest args: release --rm-dist --timeout 150m --debug diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..03d51f226 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/markdown-link-check.yaml b/.github/workflows/markdown-link-check.yaml index 2e338f8fb..966e720c1 100644 --- a/.github/workflows/markdown-link-check.yaml +++ b/.github/workflows/markdown-link-check.yaml @@ -17,8 +17,13 @@ jobs: markdown-link-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: # this will only show errors in the output use-quiet-mode: 'yes' diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml index cd8b24a8e..14f424111 100644 --- a/.github/workflows/publish-images.yaml +++ b/.github/workflows/publish-images.yaml @@ -15,6 +15,11 @@ jobs: outputs: registry: ${{ steps.export.outputs.registry }} steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + - id: export run: | # registry must be in lowercase @@ -30,7 +35,12 @@ jobs: image: [webhook, proxy, proxy-init] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 @@ -57,7 +67,12 @@ jobs: dir: [examples/msal-go, examples/msal-net/akvdotnet, examples/msal-node, examples/msal-python, examples/msal-java] runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 @@ -67,7 +82,7 @@ jobs: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: nick-invision/retry@v2 + - uses: nick-invision/retry@943e742917ac94714d2f408a0e8320f2d1fcafcd # v2.8.3 with: timeout_minutes: 20 max_attempts: 3 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..cc6b10a05 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@8662eabe0e9f338a07350b7fd050732745f93848 # v2.3.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml index d9f3d60ee..1c948189b 100644 --- a/.github/workflows/website.yaml +++ b/.github/workflows/website.yaml @@ -15,7 +15,12 @@ jobs: deploy: runs-on: ubuntu-20.04 steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@6b3083af2869dc3314a0257a42f4af696cc79ba3 # v2.3.1 + with: + egress-policy: audit + + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 with: submodules: true fetch-depth: 0 @@ -27,7 +32,7 @@ jobs: - name: Build run: make -C docs/book build - name: Deploy - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3.9.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/book/book