From a261bc22512860df5b7765c80c1dd4a4753472f6 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 30 Jan 2024 09:06:46 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 211 ++++++++++++++++++ .github/workflows/acr-build-publish.yml | 16 +- .github/workflows/binaries-analysis.yml | 14 +- .github/workflows/chatgpt-review.yml | 7 +- .github/workflows/codeql-analysis.yml | 14 +- .github/workflows/dependency-review.yml | 27 +++ .../workflows/integration-check-install.yml | 10 +- .github/workflows/live-test.yml | 13 +- .github/workflows/ok-to-test.yml | 8 + .github/workflows/pr-build.yml | 25 ++- .github/workflows/release.yml | 47 ++-- .github/workflows/scorecards.yml | 76 +++++++ .pre-commit-config.yaml | 14 ++ .../ConnectSQLDatabase/Dockerfile | 2 +- samples/ingress/database-api/Dockerfile | 4 +- samples/ingress/frontend/Dockerfile | 2 +- samples/ingress/stats-api/Dockerfile | 2 +- samples/ingress/stats-worker/Dockerfile | 2 +- samples/managed-identity/Dockerfile | 4 +- samples/todo-app/database-api/Dockerfile | 4 +- samples/todo-app/frontend/Dockerfile | 2 +- samples/todo-app/stats-api/Dockerfile | 2 +- samples/todo-app/stats-worker/Dockerfile | 2 +- src/LocalAgent/Dockerfile | 4 +- src/devhostagent.restorationjob/Dockerfile | 4 +- src/devhostagent/Dockerfile | 4 +- src/routingmanager/Dockerfile | 4 +- 27 files changed, 464 insertions(+), 60 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..a709a35d3 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,211 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /samples/ConnectSQLDatabase/ConnectSQLDatabase + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/ConnectSQLDatabase/ConnectSQLDatabase + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/ingress/database-api + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /samples/ingress/database-api + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/ingress/frontend + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/ingress/frontend + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/ingress/stats-api + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/ingress/stats-api + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/ingress/stats-worker + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/ingress/stats-worker + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/managed-identity + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /samples/managed-identity + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/todo-app/database-api + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /samples/todo-app/database-api + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/todo-app/frontend + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/todo-app/frontend + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/todo-app/stats-api + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/todo-app/stats-api + schedule: + interval: daily + + - package-ecosystem: docker + directory: /samples/todo-app/stats-worker + schedule: + interval: daily + + - package-ecosystem: npm + directory: /samples/todo-app/stats-worker + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/EndpointManagerLauncher + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/LocalAgent + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/LocalAgent + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/common.tests + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/common + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/devhostAgent.restorationjob.tests + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/devhostagent.restorationjob + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/devhostagent.restorationjob + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/devhostagent + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/devhostagent + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/dsc.tests + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/dsc + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/endpointmanager.tests + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/endpointmanager + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/library.tests + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/library + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/routingmanager.tests + schedule: + interval: daily + + - package-ecosystem: docker + directory: /src/routingmanager + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/routingmanager + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /src/testhelpers + schedule: + interval: daily diff --git a/.github/workflows/acr-build-publish.yml b/.github/workflows/acr-build-publish.yml index 1c7070a7c..d1f621880 100644 --- a/.github/workflows/acr-build-publish.yml +++ b/.github/workflows/acr-build-publish.yml @@ -11,6 +11,9 @@ on: - development - staging - prod +permissions: + contents: read + jobs: docker: strategy: @@ -25,12 +28,17 @@ jobs: runs-on: ubuntu-latest environment: ${{ github.event.inputs.environment }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 with: registry: ${{ vars.ACR_REGISTRY }} username: ${{ secrets.ACR_USERNAME }} @@ -58,7 +66,7 @@ jobs: echo "tag=stable" >> $GITHUB_ENV fi - name: Build and push for ${{ matrix.components }} - uses: docker/build-push-action@v5 + uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 with: file: src/${{ matrix.components }}/Dockerfile platforms: linux/arm64,linux/amd64 diff --git a/.github/workflows/binaries-analysis.yml b/.github/workflows/binaries-analysis.yml index 339611089..6ad78dbc8 100644 --- a/.github/workflows/binaries-analysis.yml +++ b/.github/workflows/binaries-analysis.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '21 17 * * 0' +permissions: + contents: read + jobs: analyze: name: BinSkim Binary Analyze @@ -22,10 +25,15 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup NuGet.exe for use with actions - uses: NuGet/setup-nuget@v1.0.6 + uses: NuGet/setup-nuget@b2bc17b761a1d88cab755a776c7922eb26eefbfa # v1.0.6 - name: Get BinSkim package from nuget run: nuget install Microsoft.CodeAnalysis.BinSkim -Version 1.9.5 -OutputDirectory ${{ github.workspace }} - name: Restore dependencies using Nuget @@ -35,7 +43,7 @@ jobs: - name: Build endpointmanagerlauncher run: dotnet publish src\EndpointManagerLauncher\endpointmanagerlauncher.csproj -r win-x64 -c Release --no-restore - name: Install and Run BinSkim analysis - uses: Azure/powershell@v1 + uses: Azure/powershell@1300bbd2b3e1c21c029fe34887d16d2809a1397f # v1.4.0 with: inlineScript: | ${{ github.workspace }}\Microsoft.CodeAnalysis.BinSkim.1.9.5\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze *.exe *.dll --recurse diff --git a/.github/workflows/chatgpt-review.yml b/.github/workflows/chatgpt-review.yml index db8122617..ed008beb3 100644 --- a/.github/workflows/chatgpt-review.yml +++ b/.github/workflows/chatgpt-review.yml @@ -11,7 +11,12 @@ jobs: name: ChatGPT Review runs-on: ubuntu-latest steps: - - uses: feiskyer/ChatGPT-Reviewer@v0.3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: feiskyer/ChatGPT-Reviewer@731b69f6b38eb33cff485254a4258790ebfba257 # v0.3 name: ChatGPT Review env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 794f6a229..169487139 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,9 @@ on: schedule: - cron: '21 17 * * 0' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -37,12 +40,17 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -57,4 +65,4 @@ jobs: dotnet build src/dsc/dsc.csproj /p:UseSharedCompilation=false dotnet build src/dsc.tests/dsc.tests.csproj /p:UseSharedCompilation=false - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 \ No newline at end of file + uses: github/codeql-action/analyze@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..fd27e55b6 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/integration-check-install.yml b/.github/workflows/integration-check-install.yml index 80ba8ce2e..ddcd8616a 100644 --- a/.github/workflows/integration-check-install.yml +++ b/.github/workflows/integration-check-install.yml @@ -3,6 +3,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: install: strategy: @@ -10,7 +13,12 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Run Install Script shell: bash run: ./scripts/install.sh diff --git a/.github/workflows/live-test.yml b/.github/workflows/live-test.yml index 279477bd0..2910a1c55 100644 --- a/.github/workflows/live-test.yml +++ b/.github/workflows/live-test.yml @@ -18,12 +18,17 @@ jobs: runs-on: ${{ matrix.os }} name: live test for b2k steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 with: ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge - name: Login Azure Context if: ${{ matrix.os != 'ubuntu-latest' }} - uses: Azure/login@v1 + uses: Azure/login@cb79c773a3cfa27f31f25eb3f677781210c9ce3d # v1.6.1 with: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} @@ -45,13 +50,13 @@ jobs: echo "create_cluster=success" >> $GITHUB_ENV - name: Set AKS Context Mac and Windows if: ${{ matrix.os == 'macos-latest' || matrix.os == 'windows-latest' }} - uses: azure/aks-set-context@v3 + uses: azure/aks-set-context@4edaee69f820359371ee8bc85189ac03a21d3a58 # v3.2 with: resource-group: ${{ secrets.AZURE_RESOURCE_GROUP }} cluster-name: ${{ env.cluster_name }} - name: Setup kubectl for macos-latest if: ${{ matrix.os == 'macos-latest' }} - uses: azure/setup-kubectl@v3 + uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 # v3.2 with: version: latest - name: Start minikube for ubuntu diff --git a/.github/workflows/ok-to-test.yml b/.github/workflows/ok-to-test.yml index 47ade0b20..28069fea7 100644 --- a/.github/workflows/ok-to-test.yml +++ b/.github/workflows/ok-to-test.yml @@ -5,6 +5,9 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: ok-to-test: runs-on: ubuntu-latest @@ -16,6 +19,11 @@ jobs: # Only run for PRs, not issue comments if: ${{ github.event.issue.pull_request }} steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + - name: slash command dispatch uses: peter-evans/slash-command-dispatch@a28ee6cd74d5200f99e247ebc7b365c03ae0ef3c # v3.0.1 with: diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 949277fe4..344a089b9 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -1,6 +1,9 @@ name: PR build pipeline on: [workflow_dispatch] +permissions: + contents: read + jobs: self-contained: runs-on: windows-latest @@ -8,13 +11,18 @@ jobs: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # v2.1.1 with: dotnet-version: 7.0.x - name: Setup NuGet.exe for use with actions - uses: NuGet/setup-nuget@v1.0.6 + uses: NuGet/setup-nuget@b2bc17b761a1d88cab755a776c7922eb26eefbfa # v1.0.6 - name: Restore dependencies using Nuget run: nuget restore src\client.sln -Verbosity Normal -NonInteractive -ConfigFile src/nuget.config - name: dotnet Publish for ${{ matrix.mode }} @@ -32,13 +40,18 @@ jobs: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # v2.1.1 with: dotnet-version: 7.0.x - name: Setup NuGet.exe for use with actions - uses: NuGet/setup-nuget@v1.0.6 + uses: NuGet/setup-nuget@b2bc17b761a1d88cab755a776c7922eb26eefbfa # v1.0.6 - name: Restore dependencies using Nuget run: nuget restore src\client.sln -Verbosity Normal -NonInteractive -ConfigFile src/nuget.config - name: dotnet Publish for ${{ matrix.mode }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 193ef50cf..6c02e7a36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,9 @@ name: release binaries on: [workflow_dispatch] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -30,13 +33,18 @@ jobs: kubectlUrl: 'https://dl.k8s.io/release/v1.27.3/bin/linux/arm64/kubectl' kubectlPath: 'linux\kubectl' steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup .NET - uses: actions/setup-dotnet@v2 + uses: actions/setup-dotnet@a351d9ea84bc76ec7508debf02a39d88f8b6c0c0 # v2.1.1 with: dotnet-version: 7.0.x - name: Setup NuGet.exe for use with actions - uses: NuGet/setup-nuget@v1.0.6 + uses: NuGet/setup-nuget@b2bc17b761a1d88cab755a776c7922eb26eefbfa # v1.0.6 - name: Restore dependencies using Nuget run: nuget restore src\client.sln -Verbosity Normal -NonInteractive -ConfigFile src/nuget.config - name: dotnet Publish for ${{ matrix.mode }} @@ -45,14 +53,14 @@ jobs: if: ${{ matrix.mode == 'win-x64' || matrix.mode == 'win-arm64'}} run: dotnet publish src\EndpointManagerLauncher\endpointmanagerlauncher.csproj -r ${{ matrix.mode }} -c Release --no-restore - name: Copy endpointmanagerlauncher - uses: Azure/powershell@v1 + uses: Azure/powershell@1300bbd2b3e1c21c029fe34887d16d2809a1397f # v1.4.0 if: ${{ matrix.mode == 'win-x64' || matrix.mode == 'win-arm64'}} with: inlineScript: | Copy-Item -Path ${{ github.workspace }}\src\EndpointManagerLauncher\bin\Release\net7.0\${{ matrix.mode }}\publish\ -Destination ${{ github.workspace }}\src\dsc\bin\Release\net7.0\${{ matrix.mode }}\publish\EndpointManagerLauncher -Recurse -Exclude **/*.pdb azPSVersion: '3.1.0' - name: Download Kubectl - uses: Azure/powershell@v1 + uses: Azure/powershell@1300bbd2b3e1c21c029fe34887d16d2809a1397f # v1.4.0 with: inlineScript: | New-Item -Path '${{ github.workspace }}\src\dsc\bin\Release\net7.0\${{ matrix.mode }}\publish\kubectl' -ItemType Directory @@ -62,14 +70,14 @@ jobs: curl.exe $url -o $kubectlPath azPSVersion: '3.1.0' - name: Create .Zip files (${{ matrix.mode }}) - uses: TheDoctor0/zip-release@0.6.2 + uses: TheDoctor0/zip-release@09336613be18a8208dfa66bd57efafd9e2685657 # 0.6.2 with: type: 'zip' filename: 'lpk-${{ matrix.mode }}.zip' path: ${{ github.workspace }}\src\dsc\bin\Release\net7.0\${{ matrix.mode }}\publish\** exclusions: '**/*.pdb **/*.xml **/*.nuspec **/cs/* **/de/* **/es/* **/fr/* **/it/* **/ja/* **/ko/* **/pl/* **/pt-BR/* **/ru/* **/tr/* **/zh-Hans/* **/zh-Hant/*' - name: Upload Release - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: lpk-${{ matrix.mode }} path: | @@ -81,15 +89,20 @@ jobs: actions: read contents: write steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Get Changelog Entry id: changelog_reader - uses: mindsers/changelog-reader-action@v2 + uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef # v2.2.2 with: path: ./CHANGELOG.md - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -97,9 +110,9 @@ jobs: release_name: ${{ steps.changelog_reader.outputs.version }} body: ${{ steps.changelog_reader.outputs.changes }} - name: Download All artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - name: Upload Window Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -108,7 +121,7 @@ jobs: asset_name: lpk-win.zip asset_content_type: application/zip - name: Upload Window ARM64 Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -117,7 +130,7 @@ jobs: asset_name: lpk-win-arm64.zip asset_content_type: application/zip - name: Upload Linux Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -126,7 +139,7 @@ jobs: asset_name: lpk-linux.zip asset_content_type: application/zip - name: Upload Linux ARM64 Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -135,7 +148,7 @@ jobs: asset_name: lpk-linux-arm64.zip asset_content_type: application/zip - name: Upload OSX Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -144,7 +157,7 @@ jobs: asset_name: lpk-osx.zip asset_content_type: application/zip - name: Upload OSX ARM64 Release Assets - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..3b8df9c11 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2 + with: + sarif_file: results.sarif diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..d8562a434 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/samples/ConnectSQLDatabase/ConnectSQLDatabase/Dockerfile b/samples/ConnectSQLDatabase/ConnectSQLDatabase/Dockerfile index ae1b0ef83..7c827a856 100644 --- a/samples/ConnectSQLDatabase/ConnectSQLDatabase/Dockerfile +++ b/samples/ConnectSQLDatabase/ConnectSQLDatabase/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/dotnet/aspnet:7.0 +FROM mcr.microsoft.com/dotnet/aspnet:7.0@sha256:9658a001bc235f15d2d7f3a68f90cb1897f2fdc3e2e74161605c076d3472e39c COPY bin/Release/net7.0/publish/ App/ WORKDIR /App diff --git a/samples/ingress/database-api/Dockerfile b/samples/ingress/database-api/Dockerfile index 66123f6f1..d88b983fb 100644 --- a/samples/ingress/database-api/Dockerfile +++ b/samples/ingress/database-api/Dockerfile @@ -1,8 +1,8 @@ -FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim AS base +FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-buster-slim@sha256:c30ae929a3cfef278f140c6e2ec050ea2bbab17cfc6b3426c8fe806d9fb3b6dd AS base WORKDIR /app EXPOSE 80 -FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build +FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster@sha256:ed737e6920105e2a5cdcd13b9697e7973011e5619339ea64e30871ba0b53fec8 AS build WORKDIR /src COPY ["databaseApi.csproj", ""] RUN dotnet restore "./databaseApi.csproj" diff --git a/samples/ingress/frontend/Dockerfile b/samples/ingress/frontend/Dockerfile index 480447ca5..e6e6b20dd 100644 --- a/samples/ingress/frontend/Dockerfile +++ b/samples/ingress/frontend/Dockerfile @@ -1,4 +1,4 @@ -FROM node:lts-alpine +FROM node:lts-alpine@sha256:2f46fd49c767554c089a5eb219115313b72748d8f62f5eccb58ef52bc36db4ad ENV PORT 80 EXPOSE 80 diff --git a/samples/ingress/stats-api/Dockerfile b/samples/ingress/stats-api/Dockerfile index 38f9ba8d2..ca8832c99 100644 --- a/samples/ingress/stats-api/Dockerfile +++ b/samples/ingress/stats-api/Dockerfile @@ -1,4 +1,4 @@ -FROM node:lts-alpine +FROM node:lts-alpine@sha256:2f46fd49c767554c089a5eb219115313b72748d8f62f5eccb58ef52bc36db4ad ENV PORT 80 EXPOSE 80 diff --git a/samples/ingress/stats-worker/Dockerfile b/samples/ingress/stats-worker/Dockerfile index 60a393ce7..acf47027d 100644 --- a/samples/ingress/stats-worker/Dockerfile +++ b/samples/ingress/stats-worker/Dockerfile @@ -1,4 +1,4 @@ -FROM node:lts-alpine +FROM node:lts-alpine@sha256:2f46fd49c767554c089a5eb219115313b72748d8f62f5eccb58ef52bc36db4ad WORKDIR /app COPY package*.json ./ diff --git a/samples/managed-identity/Dockerfile b/samples/managed-identity/Dockerfile index ec55f631e..dcb348763 100644 --- a/samples/managed-identity/Dockerfile +++ b/samples/managed-identity/Dockerfile @@ -1,11 +1,11 @@ #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging. -FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0 AS base +FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0@sha256:fccd19c673dff30603e1f2ca3ae05234e0c1a2512a30e9b71debaf34a1215664 AS base ARG TARGETARCH WORKDIR /app EXPOSE 80 -FROM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0 AS build +FROM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0@sha256:69e18e87d68a6653550c1eed320cdddc3ff39296bb9d04f3317eca6e500daea9 AS build ARG TARGETARCH WORKDIR /src COPY "mi-webapp.csproj" . diff --git a/samples/todo-app/database-api/Dockerfile b/samples/todo-app/database-api/Dockerfile index 39bd42849..7d96d8c73 100644 --- a/samples/todo-app/database-api/Dockerfile +++ b/samples/todo-app/database-api/Dockerfile @@ -1,9 +1,9 @@ -FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0 AS base +FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0@sha256:fccd19c673dff30603e1f2ca3ae05234e0c1a2512a30e9b71debaf34a1215664 AS base ARG TARGETARCH WORKDIR /app EXPOSE 80 -FROM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0 AS build +FROM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0@sha256:69e18e87d68a6653550c1eed320cdddc3ff39296bb9d04f3317eca6e500daea9 AS build ARG TARGETARCH WORKDIR /src COPY ["databaseApi.csproj", ""] diff --git a/samples/todo-app/frontend/Dockerfile b/samples/todo-app/frontend/Dockerfile index a54604f09..1941b9410 100644 --- a/samples/todo-app/frontend/Dockerfile +++ b/samples/todo-app/frontend/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004 +FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004@sha256:4967b4998350f5e438a282c9c40952e182fb744df8d05eae43ff7f62fb267fdf ENV PORT 80 EXPOSE 80 diff --git a/samples/todo-app/stats-api/Dockerfile b/samples/todo-app/stats-api/Dockerfile index 50678dc1d..b1dfd7f05 100644 --- a/samples/todo-app/stats-api/Dockerfile +++ b/samples/todo-app/stats-api/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004 +FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004@sha256:4967b4998350f5e438a282c9c40952e182fb744df8d05eae43ff7f62fb267fdf ENV PORT 80 EXPOSE 80 diff --git a/samples/todo-app/stats-worker/Dockerfile b/samples/todo-app/stats-worker/Dockerfile index 1804e1c79..5827bf7b6 100644 --- a/samples/todo-app/stats-worker/Dockerfile +++ b/samples/todo-app/stats-worker/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004 +FROM mcr.microsoft.com/cbl-mariner/base/nodejs:18.17.1-2-cm2.0.20231004@sha256:4967b4998350f5e438a282c9c40952e182fb744df8d05eae43ff7f62fb267fdf WORKDIR /app COPY package*.json ./ RUN npm install diff --git a/src/LocalAgent/Dockerfile b/src/LocalAgent/Dockerfile index 4316a7c3f..a4635857e 100644 --- a/src/LocalAgent/Dockerfile +++ b/src/LocalAgent/Dockerfile @@ -1,11 +1,11 @@ #See https://aka.ms/containerfastmode to understand how Visual Studio uses this Dockerfile to build your images for faster debugging. -FROM mcr.microsoft.com/dotnet/aspnet:7.0 AS base +FROM mcr.microsoft.com/dotnet/aspnet:7.0@sha256:9658a001bc235f15d2d7f3a68f90cb1897f2fdc3e2e74161605c076d3472e39c AS base WORKDIR /app EXPOSE 80 EXPOSE 443 -FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build +FROM mcr.microsoft.com/dotnet/sdk:7.0@sha256:6b9c857a60b67f968fd5bae373e414690947b8b58e7951b3228fd712b82938e8 AS build WORKDIR /src COPY ["nuget.config", "."] COPY ["LocalAgent/localagent.csproj", "LocalAgent/"] diff --git a/src/devhostagent.restorationjob/Dockerfile b/src/devhostagent.restorationjob/Dockerfile index c7b01fbfd..def13d61f 100644 --- a/src/devhostagent.restorationjob/Dockerfile +++ b/src/devhostagent.restorationjob/Dockerfile @@ -1,5 +1,5 @@ # Build container -FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0 AS build +FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0@sha256:69e18e87d68a6653550c1eed320cdddc3ff39296bb9d04f3317eca6e500daea9 AS build ARG TARGETARCH ARG Configuration=Release ARG TelemetryType=TELEMETRY_DEVELOPMENT @@ -18,7 +18,7 @@ ENV MINDARO_BUILD_NUMBER=${MindaroBuildNumber} RUN dotnet publish -c ${Configuration} -a ${TARGETARCH} --self-contained false --no-restore -o /output devhostAgent.restorationjob.csproj # Final container -FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0 as final +FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0@sha256:fccd19c673dff30603e1f2ca3ae05234e0c1a2512a30e9b71debaf34a1215664 as final # Setup common tools RUN tdnf clean all && \ diff --git a/src/devhostagent/Dockerfile b/src/devhostagent/Dockerfile index aa8656f97..647987b5d 100644 --- a/src/devhostagent/Dockerfile +++ b/src/devhostagent/Dockerfile @@ -1,5 +1,5 @@ # Build container -FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0 AS build +FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0@sha256:69e18e87d68a6653550c1eed320cdddc3ff39296bb9d04f3317eca6e500daea9 AS build ARG TARGETARCH ARG Configuration=Release @@ -19,7 +19,7 @@ ENV MINDARO_BUILD_NUMBER=${MindaroBuildNumber} RUN dotnet publish -c ${Configuration} -a ${TARGETARCH} --self-contained false --no-restore -o /src/publish devhostAgent.csproj # Final container -FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0 as final +FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0@sha256:fccd19c673dff30603e1f2ca3ae05234e0c1a2512a30e9b71debaf34a1215664 as final RUN tdnf clean all && \ tdnf check-update && \ diff --git a/src/routingmanager/Dockerfile b/src/routingmanager/Dockerfile index cf62c4a66..5869da9d6 100644 --- a/src/routingmanager/Dockerfile +++ b/src/routingmanager/Dockerfile @@ -1,5 +1,5 @@ # Build container -FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0 AS build +FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0-cbl-mariner2.0@sha256:69e18e87d68a6653550c1eed320cdddc3ff39296bb9d04f3317eca6e500daea9 AS build ARG TARGETARCH ARG Configuration=Release ARG TelemetryType=TELEMETRY_DEVELOPMENT @@ -19,7 +19,7 @@ ENV MINDARO_BUILD_NUMBER=${MindaroBuildNumber} RUN dotnet publish -c ${Configuration} -a ${TARGETARCH} --self-contained false --no-restore -o /src/publish # Final container -FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0 as final +FROM mcr.microsoft.com/dotnet/aspnet:7.0-cbl-mariner2.0@sha256:fccd19c673dff30603e1f2ca3ae05234e0c1a2512a30e9b71debaf34a1215664 as final ARG TARGETARCH ARG KUBECTL_VERSION=v1.27.3 ARG INSTALL_LOCATION=/app/kubectl/linux