From 1596b88f7f345f80bc87af7afcc6493e01d24654 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 9 Dec 2024 18:30:53 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 11 ++++++++++ .github/workflows/cd.yml | 13 ++++++++---- .github/workflows/ci.yml | 24 +++++++++++++++------- .github/workflows/codeql-analysis.yml | 16 +++++++++++---- .github/workflows/dependency-review.yml | 27 +++++++++++++++++++++++++ .github/workflows/docs.yml | 9 +++++++-- .github/workflows/edge.yml | 22 +++++++++++++------- .github/workflows/pypi.yml | 18 ++++++++++++----- .github/workflows/release.yml | 22 +++++++++++++------- .github/workflows/scorecard.yml | 7 ++++++- .pre-commit-config.yaml | 8 ++++++++ Dockerfile | 2 +- 12 files changed, 141 insertions(+), 38 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..365eeec --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: docker + directory: / + schedule: + interval: daily diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 4ff7770..dd546f2 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -11,16 +11,21 @@ jobs: release-please: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Create release id: release-please - uses: googleapis/release-please-action@v4.1.3 + uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 with: release-type: python - name: Dispatch Edge Build if: always() - uses: peter-evans/repository-dispatch@v3.0.0 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: repository: shinybrar/skaha event-type: edge-build @@ -34,7 +39,7 @@ jobs: - name: Dispatch Release Build if: ${{ steps.release-please.outputs.release_created }} - uses: peter-evans/repository-dispatch@v3.0.0 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: repository: shinybrar/skaha event-type: release-build @@ -48,7 +53,7 @@ jobs: - name: Dispatch PYPI Release if: ${{ steps.release-please.outputs.release_created }} - uses: peter-evans/repository-dispatch@v3.0.0 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: repository: shinybrar/skaha event-type: pypi-release diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1596555..db74f7d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,18 +14,23 @@ jobs: pre-commit-checks: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Setup code repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 - name: Setup Python - uses: actions/setup-python@v5.2.0 + uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0 with: python-version: 3.12 - name: pre-commit - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 tests: needs: pre-commit-checks @@ -36,14 +41,19 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Setup code repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 1 - name: Setup uv - uses: astral-sh/setup-uv@v3.1.7 + uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7 with: enable-cache: true - @@ -75,7 +85,7 @@ jobs: name: Upload coverage to Codecov env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - uses: codecov/codecov-action@v4.6.0 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 with: fail_ci_if_error: true # Fail the CI if an error occurs during the upload token: ${{ env.CODECOV_TOKEN }} @@ -84,6 +94,6 @@ jobs: - name: Upload test results to Codecov if: ${{ !cancelled() }} - uses: codecov/test-results-action@v1 + uses: codecov/test-results-action@9739113ad922ea0a9abb4b2c0f8bf6a4aa8ef820 # v1.0.1 with: token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 07033f1..6ef6f12 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,6 +18,9 @@ on: # The branches below must be a subset of the branches above branches: [ main ] +permissions: + contents: read + jobs: analyze: name: Analyze @@ -35,12 +38,17 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -51,7 +59,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -65,4 +73,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@82a3f64131759f97922e0680c3730858bc7155a6 # v2.27.6 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..21a469b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 2c97585..c67896b 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -21,8 +21,13 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: astral-sh/setup-uv@v3 + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: astral-sh/setup-uv@caf0cab7a618c569241d31dcd442f54681755d39 # v3.2.4 - run: | uv python install uv run mkdocs gh-deploy --force diff --git a/.github/workflows/edge.yml b/.github/workflows/edge.yml index 5988c96..59d0dce 100644 --- a/.github/workflows/edge.yml +++ b/.github/workflows/edge.yml @@ -10,6 +10,9 @@ env: IMAGE_NAME: shinybrar/skaha IMAGE_TAG: edge +permissions: + contents: read + jobs: edge-build: runs-on: ubuntu-latest @@ -18,27 +21,32 @@ jobs: attestations: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Client Payload run: | echo "Client Payload: ${{ toJson(github.event.client_payload) }}" - name: Checkout Code - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: install: true - name: Perform Dockerhub Login - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Perform GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -46,7 +54,7 @@ jobs: - name: Build & Push Docker Image id: build - uses: docker/build-push-action@v6.9.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . target: production @@ -68,14 +76,14 @@ jobs: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} - name: Attest GHCR Container Image - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true - name: Attest Dockerhub Container Image - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build.outputs.digest }} diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index e51c6ce..789dabd 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -4,6 +4,9 @@ on: repository_dispatch: types: [pypi-release] +permissions: + contents: read + jobs: pypi-release: runs-on: ubuntu-latest @@ -14,6 +17,11 @@ jobs: name: pypi-release url: https://pypi.org/p/skaha steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Echo Build Dispatch run: | @@ -21,12 +29,12 @@ jobs: echo "Event Payload: ${{ toJson(github.event.client_payload) }}" - name: Checkout Code - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.event.client_payload.tag_name }} - name: Install uv - uses: astral-sh/setup-uv@v3.1.7 + uses: astral-sh/setup-uv@f3bcaebff5eace81a1c062af9f9011aae482ca9d # v3.1.7 with: enable-cache: false - @@ -37,7 +45,7 @@ jobs: run: uv build - name: Publish release distributions to PyPI - uses: pypa/gh-action-pypi-publish@v1.10.3 + uses: pypa/gh-action-pypi-publish@f7600683efdcb7656dec5b29656edb7bc586e597 # v1.10.3 with: attestations: false packages-dir: dist/ @@ -45,7 +53,7 @@ jobs: print-hash: true - name: Attestations for PYPI Wheel - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-path: | dist/*.whl @@ -53,7 +61,7 @@ jobs: show-summary: true - name: Attestations for PYPI Source - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-path: | dist/*.tar.gz diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3b0ca13..3da08f9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,6 +11,9 @@ env: IMAGE_TAG_LATEST: latest IMAGE_TAG_RELEASE: ${{ github.event.client_payload.tag_name }} +permissions: + contents: read + jobs: release-build: runs-on: ubuntu-latest @@ -19,29 +22,34 @@ jobs: attestations: write # Attest the build provenance id-token: write # Genereate OIDC token for attestations steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: Client Payload run: | echo "Client Payload: ${{ toJson(github.event.client_payload) }}" - name: Checkout Code - uses: actions/checkout@v4.2.1 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: ref: ${{ github.event.client_payload.tag_name }} - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3.7.1 + uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 with: install: true - name: Perform Dockerhub Login - uses: docker/login-action@v3.3.0 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Perform GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -49,7 +57,7 @@ jobs: - name: Build & Push Docker Image id: build - uses: docker/build-push-action@v6.9.0 + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . target: production @@ -73,14 +81,14 @@ jobs: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG_LATEST }} - name: Attest GHCR Container Image - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-name: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build.outputs.digest }} push-to-registry: true - name: Attest Dockerhub Container Image - uses: actions/attest-build-provenance@v1 + uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 with: subject-name: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }} subject-digest: ${{ steps.build.outputs.digest }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1027bd1..6ba8c7e 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -68,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6 with: sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index cbfb921..27ba2c6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -84,3 +84,11 @@ repos: language: python additional_dependencies: [radon] args: ["cc", "--min=C","--total-average","--exclude=tests/*.py"] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint diff --git a/Dockerfile b/Dockerfile index f3df1a2..dc2acc8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.13-alpine AS base +FROM python:3.13-alpine@sha256:804ad02b9ba67ea1f8307eeb6407b121c6bd6bb19d3f182aae166821eb59d6a4 AS base FROM base AS builder COPY . /skaha