diff --git a/.github/workflows/test-secrets-action-sarif.yaml b/.github/workflows/test-secrets-action-sarif.yaml index 28e6f04..6808419 100644 --- a/.github/workflows/test-secrets-action-sarif.yaml +++ b/.github/workflows/test-secrets-action-sarif.yaml @@ -2,30 +2,33 @@ name: Test Orca Secrets action - Sarif on: [push, pull_request] +permissions: + contents: read + security-events: write + jobs: secrets_scan_job: runs-on: ubuntu-latest permissions: security-events: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: fetch-depth: 0 - name: Scan Secrets id: orcasecurity_secrets_scan uses: ./ with: - api_token: - ${{ secrets.ORCA_SECURITY_API_TOKEN }} - project_key: - "default" - format: - "sarif" - output: - "results/" + api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }} + project_key: "default" + format: "sarif" + output: "results/" console_output: "table" - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # ratchet:github/codeql-action/upload-sarif@v2 if: ${{ always() && steps.orcasecurity_secrets_scan.outputs.exit_code != 1 }} with: - sarif_file: results/secrets.sarif \ No newline at end of file + sarif_file: results/secrets.sarif + + + diff --git a/.github/workflows/test-secrets-action.yaml b/.github/workflows/test-secrets-action.yaml index 3933bc6..c37d2f5 100644 --- a/.github/workflows/test-secrets-action.yaml +++ b/.github/workflows/test-secrets-action.yaml @@ -2,21 +2,23 @@ name: Test Orca Secrets action on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: secrets_scan_job: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3 with: fetch-depth: 0 - + - name: Scan Secrets id: orcasecurity uses: ./ with: - api_token: - ${{ secrets.ORCA_SECURITY_API_TOKEN }} - project_key: - "default" - console_output: "table" \ No newline at end of file + api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }} + project_key: "default" + console_output: "table" + diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..6e0e2b2 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,20 @@ + +## Reporting a Vulnerability + +At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately. + +To report a security issue, please email us at address `disclosure@orca.security` + +--- +**Important:** + + 1. Please **do not** create a Github issue for security vulnerabilities. + 2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure. + 3. Please include the following details in your report: + - Description of the vulnerability + - Steps to reproduce the vulnerability + - Any additional information or context that might be helpful + +--- + +> Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.