Applying security best practices with StepSecurity #1337
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
|
Hi, Sorry about eclipsedfdn/eca has failed. We are aware about this and we are already working on that as long as we have solution, we will let you know. I apologise about inconvenience caused Thanks, Kind Regards |
| schedule: | ||
| interval: daily | ||
|
|
||
| - package-ecosystem: maven |
There was a problem hiding this comment.
Configuring each Project seems to be cumbersome, isn't the configuration for the project root inherited?
There was a problem hiding this comment.
Hi @HannesWell , as far I am aware config file doesn't support wildcards which help to manage this configuration in easier way. Sorry about that
Here you will find more information dependabot/dependabot-core#2178
| interval: daily | ||
|
|
||
| - package-ecosystem: maven | ||
| directory: /org.eclipse.m2e.apt.tests/projects/argumentMap |
There was a problem hiding this comment.
I'm not sure if dependencies in test resources should be updated.
|
Thanks @HannesWell and @fperezel for the feedback, we have prioritized the following work item to only include the root directory for maven when applicable: |
|
Great, thank you. Btw. I cannot remember a Dependabot PR for m2e and wonder if it is enabled. @laeubi can you tell? |
|
Dependabot is enabled: https://github.com/eclipse-m2e/m2e-core/blob/master/.github/dependabot.yml but since we usually not managing dependencies in poms and dependabot might not be able to work with the special setup here (I rember @akurtakov mentioned it does not work out well with pomless) it could be that the tool is not able to automatically update things. I'm currently working on getting dependabot understand target files here:
but it hasn't got much attention yet and my ruby skills are quite basic :-) |
Looking in some own repos I see that besides the presence of the dependabot.yml file it is also necessary to enable dependabot analysis in the repo settings. But I cannot see that button for this repo and we probably have to ask the infra team to push that button for us (if not yet done)? I can also not see if that is enabled, maybe somebody knows a trick? Because at least for the build plugins we should receive some dependabot PRs over the time. |
You can open a ticket with the infrateam to check this, but as far as I know it is enabled by default when you create such a file and we already revived dependapot updates in the past: https://github.com/eclipse-m2e/m2e-core/pulls?q=is%3Apr+author%3Aapp%2Fdependabot+ But as written before, there is actually not much to update for dependabot as most of the interesting stuff is pulled in by the target. |
|
Hi @HannesWell , Could you close this PR as we will push new PR with all feedback gather from this PR and other possible improvements? We apologise for all inconvenience caused Thanks, Kind Regards, |
Sure, no problem. Thanks for providing tools that make it simpler to secure a repo. |
Summary
This pull request is created by Secure Repo at the request of @fperezel. Please merge the Pull Request to incorporate the requested changes. Please tag @fperezel on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.
Security Fixes
Least Privileged GitHub Actions Token Permissions
Pinned Dependencies
Applying some pinning actions at maven.yml file during build process. Please find below GitHub's Security Hardening guide recommends pinning actions to full length commit.
Keeping your actions up to date with Dependabot
Creating a dependabot file to manage all dependency in repo root directory. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).