From 7a027eee3096127dd277d48c12cd6f77321e6903 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:07:55 -0300 Subject: [PATCH 1/8] Add OSSF Scorecard --- .github/workflows/scorecard.yml | 44 +++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..18f43fc8 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,44 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif \ No newline at end of file From 287e8d74e4e15fa08c7caae06184109e2684f008 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:13:14 -0300 Subject: [PATCH 2/8] Add Dependabot config --- .github/dependabot.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..fc2971e0 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,19 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily + + # Maintain dependencies for npm and yarn + - package-ecosystem: npm + directory: / + schedule: + interval: daily From b450c585ca3459584fba36fcee868460b51b9dda Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:19:21 -0300 Subject: [PATCH 3/8] Add SECURITY.md file --- SECURITY.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..c3a8c923 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Reporting Security Issues + +The Rootstock team and community take security bugs in rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + + +## Responsible Disclosure + +For all security related issues, XXX has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rootstock-integration-tests/security/advisories/new) tab. + +The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/rootstock-integration-tests/issues). + +## Vulnerability Handling + +### Response Time + +RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities: + +* Time to first response (from report submit) - 5 business days +* Time to triage (from report submit) - 7 business days + +We’ll try to keep you informed about our progress throughout the process. + +### Disclose Policy + +Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/). \ No newline at end of file From 629a32d85cec4ac4a0ad319eddab8303f2b7bcf1 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:20:56 -0300 Subject: [PATCH 4/8] Add dependency-review action --- .github/workflows/dependency-review.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..e5249d4e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 \ No newline at end of file From c220552e88703cf20aef9b8616a3d115ce61113b Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:29:08 -0300 Subject: [PATCH 5/8] Configure CodeQL scanning --- .github/workflows/codeql.yml | 48 ++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..c19daea9 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", main" ] + pull_request: + branches: [ "master", "main" ] + schedule: + - cron: "0 0 * * *" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [javascript] + + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Before Index (java) + if: ${{ matrix.language == 'java' }} + run: ./configure.sh + + - name: Initialize CodeQL + uses: github/codeql-action/init@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 + with: + category: "/language:${{ matrix.language }}" From b76f99a96cc3de4e61e59da7fe5230613d09f0d7 Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:34:54 -0300 Subject: [PATCH 6/8] Hardcode actions versions --- .github/workflows/ci.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a2edb74..150bdc92 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -22,11 +22,11 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Docker meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 with: images: | ${{ env.LATEST_TAG }} @@ -34,14 +34,14 @@ jobs: - name: Setup Docker BuildX id: setup-buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 with: install: true driver-opts: network=host platforms: linux/amd64 - name: Build and export locally Docker - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: container-action/ load: true @@ -65,14 +65,14 @@ jobs: --rm ${{ env.TEST_TAG }} - name: GitHub container registry login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build the RIT Action Container Image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 with: context: container-action/ tags: ${{ env.LATEST_TAG }} @@ -89,7 +89,7 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Test RIT Action id: test-rit-action @@ -114,10 +114,10 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Create GitHub Release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: From 9f07b195f56eed667064a4eb0195dbef09cb3fce Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Wed, 14 Aug 2024 17:45:59 -0300 Subject: [PATCH 7/8] Harcode container image digest --- container-action/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-action/Dockerfile b/container-action/Dockerfile index 862b0230..368c1146 100644 --- a/container-action/Dockerfile +++ b/container-action/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:24.04 AS builder +FROM ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 AS builder LABEL Description="Custom RSK node image to execute Rootstock Integration Tests" From b42b9b8233891a7231583a753213541fd86e6f7d Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Fri, 16 Aug 2024 17:02:07 -0300 Subject: [PATCH 8/8] Address review comments --- .github/workflows/codeql.yml | 8 ++------ SECURITY.md | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c19daea9..3644674c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,9 +2,9 @@ name: "CodeQL" on: push: - branches: [ "master", main" ] + branches: [ "main" ] pull_request: - branches: [ "master", "main" ] + branches: [ "main" ] schedule: - cron: "0 0 * * *" @@ -29,10 +29,6 @@ jobs: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Before Index (java) - if: ${{ matrix.language == 'java' }} - run: ./configure.sh - - name: Initialize CodeQL uses: github/codeql-action/init@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 with: diff --git a/SECURITY.md b/SECURITY.md index c3a8c923..a017660f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ The Rootstock team and community take security bugs in rootstock seriously. Besi ## Responsible Disclosure -For all security related issues, XXX has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rootstock-integration-tests/security/advisories/new) tab. +For all security related issues, Rootstock Integration Tests has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rootstock-integration-tests/security/advisories/new) tab. The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.