[StepSecurity] Apply security best practices #1010
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Codecov ReportAll modified lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #1010 +/- ##
=======================================
Coverage 96.44% 96.44%
=======================================
Files 28 28
Lines 2139 2139
=======================================
Hits 2063 2063
Misses 76 76 ☔ View full report in Codecov by Sentry. |
| @@ -14,12 +14,12 @@ jobs: | |||
|
|
|||
| steps: | |||
| - name: Checkout code | |||
| uses: actions/checkout@v4 | |||
| uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |||
There was a problem hiding this comment.
This imo is like pinning deps in package.json; not worth the trouble. We won’t get bugfixes and whatnot automatically by doing this.
There was a problem hiding this comment.
Unless this bot also sends PRs (or some other bot does). Seems very noisy, tho...
There was a problem hiding this comment.
dependabot works with pinned actions too. We're extensively using it already on nodejs/core. See: nodejs/security-wg#1126
There was a problem hiding this comment.
It does indeed, but that makes it very noisy. I don’t think it’s worth it, especially from official Github actions.
Summary
This pull request is created by Secure Repo at the request of @RafaelGSS. Please merge the Pull Request to incorporate the requested changes. Please tag @RafaelGSS on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.
Refs: nodejs/security-wg#859
Security Fixes
Least Privileged GitHub Actions Token Permissions
The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.
Pinned Dependencies
GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Add OpenSSF Scorecard Workflow
OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.
Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.
Feedback
For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.
Signed-off-by: StepSecurity Bot bot@stepsecurity.io