[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @jquagga. Please merge the Pull Request to incorporate the requested changes. Please tag @jquagga on your message if you have any questions related to the PR.

Security Fixes

Detect Vulnerabilities with SAST Workflow

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as clear-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

• The Open Source Security Foundation (OpenSSF) Security Guide
• OWASP Static Code Analysis
• Github Guide For Code Scanning

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

• Github Guide about Dependency Review
• Github Guide for Configuring Dependency Review Action

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

• The Open Source Security Foundation (OpenSSF) Scorecard

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Summary by Sourcery

Apply security best practices by adding workflows for SAST, Dependency Review, and OpenSSF Scorecard. Simplify the existing CodeQL workflow and enhance CI configurations to improve security posture and maintainability.

New Features:

• Introduce a Static Application Security Testing (SAST) workflow to detect vulnerabilities in the source code using static code analysis tools.
• Add a Dependency Review workflow to enforce dependency reviews on pull requests, scanning for vulnerable versions of dependencies.
• Implement an OpenSSF Scorecard workflow to assess software security heuristics and provide a security score.

Enhancements:

• Simplify the CodeQL workflow by removing language-specific configurations and using a more streamlined setup.

CI:

• Update the CodeQL workflow to run on a simplified matrix configuration and adjust the cron schedule for weekly execution.
• Add a new workflow for OpenSSF Scorecard analysis to enhance supply-chain security checks.

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request implements security best practices by updating the CodeQL workflow and adding a new Scorecard supply-chain security workflow. The changes focus on improving the repository's security posture and automated vulnerability detection.

No diagrams generated as the changes look simple and do not need a visual representation.

File-Level Changes

Change	Details	Files
Updated CodeQL workflow for improved security analysis	Simplified the workflow by removing language-specific configurations Updated the runner to use ubuntu-latest for all analyses Removed manual build mode and related steps Updated action versions to their latest releases	.github/workflows/codeql.yml
Added Scorecard supply-chain security workflow	Implemented a new workflow for Scorecard analysis Set up scheduled runs and trigger on push to main branch Configured permissions for security event writing and result publishing Added steps for running analysis, uploading artifacts, and uploading to code-scanning	.github/workflows/scorecards.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, step-security-bot!). We assume it knows what it's doing!