[StepSecurity] Apply security best practices

.github/dependabot.yml

@@ -0,0 +1,211 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /samples/ConnectSQLDatabase/ConnectSQLDatabase
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/ConnectSQLDatabase/ConnectSQLDatabase
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/ingress/database-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /samples/ingress/database-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/ingress/frontend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/ingress/frontend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/ingress/stats-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/ingress/stats-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/ingress/stats-worker
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/ingress/stats-worker
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/managed-identity
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /samples/managed-identity
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/todo-app/database-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /samples/todo-app/database-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/todo-app/frontend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/todo-app/frontend
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/todo-app/stats-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/todo-app/stats-api
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /samples/todo-app/stats-worker
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /samples/todo-app/stats-worker
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/EndpointManagerLauncher
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/LocalAgent
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/LocalAgent
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/common.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/common
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/devhostAgent.restorationjob.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/devhostagent.restorationjob
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/devhostagent.restorationjob
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/devhostagent
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/devhostagent
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/dsc.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/dsc
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/endpointmanager.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/endpointmanager
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/library.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/library
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/routingmanager.tests
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /src/routingmanager
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/routingmanager
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /src/testhelpers
+    schedule:
+      interval: daily

.github/workflows/acr-build-publish.yml

@@ -11,6 +11,9 @@ on:
           - development
           - staging
           - prod
+permissions:
+  contents: read
+
 jobs:
   docker:
     strategy:
@@ -25,12 +28,17 @@ jobs:
     runs-on: ubuntu-latest
     environment: ${{ github.event.inputs.environment }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: ${{ vars.ACR_REGISTRY }}
           username: ${{ secrets.ACR_USERNAME }}
@@ -58,7 +66,7 @@ jobs:
             echo "tag=stable" >> $GITHUB_ENV
           fi
       - name: Build and push for ${{ matrix.components }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
         with:
           file: src/${{ matrix.components }}/Dockerfile
           platforms: linux/arm64,linux/amd64

.github/workflows/binaries-analysis.yml

@@ -9,6 +9,9 @@ on:
   schedule:
     - cron: '21 17 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: BinSkim Binary Analyze
@@ -22,10 +25,15 @@ jobs:
       security-events: write
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Setup NuGet.exe for use with actions
-      uses: NuGet/setup-nuget@v1.0.6
+      uses: NuGet/setup-nuget@b2bc17b761a1d88cab755a776c7922eb26eefbfa # v1.0.6
     - name: Get BinSkim package from nuget
       run: nuget install Microsoft.CodeAnalysis.BinSkim -Version 1.9.5 -OutputDirectory ${{ github.workspace }}
     - name: Restore dependencies using Nuget
@@ -35,7 +43,7 @@ jobs:
     - name: Build endpointmanagerlauncher
       run: dotnet publish src\EndpointManagerLauncher\endpointmanagerlauncher.csproj -r win-x64 -c Release --no-restore
     - name: Install and Run BinSkim analysis
-      uses: Azure/powershell@v1
+      uses: Azure/powershell@1300bbd2b3e1c21c029fe34887d16d2809a1397f # v1.4.0
       with: 
         inlineScript: |
           ${{ github.workspace }}\Microsoft.CodeAnalysis.BinSkim.1.9.5\tools\netcoreapp3.1\win-x64\BinSkim.exe analyze *.exe *.dll --recurse

.github/workflows/chatgpt-review.yml

@@ -11,7 +11,12 @@ jobs:
     name: ChatGPT Review
     runs-on: ubuntu-latest
     steps:
-    - uses: feiskyer/ChatGPT-Reviewer@v0.3
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
+    - uses: feiskyer/ChatGPT-Reviewer@731b69f6b38eb33cff485254a4258790ebfba257 # v0.3
       name: ChatGPT Review
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -20,6 +20,9 @@ on:
   schedule:
     - cron: '21 17 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -37,12 +40,17 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,4 +65,4 @@ jobs:
         dotnet build src/dsc/dsc.csproj /p:UseSharedCompilation=false
         dotnet build src/dsc.tests/dsc.tests.csproj /p:UseSharedCompilation=false
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@2f93e4319b2f04a2efc38fa7f78bd681bc3f7b2f # v2.23.2

.github/workflows/dependency-review.yml

@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

.github/workflows/integration-check-install.yml

@@ -3,14 +3,22 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   install:
     strategy:
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Run Install Script
         shell: bash
         run: ./scripts/install.sh