Apply security best practices into workflows and Docker file (#270)

Signed-off-by: Taras Drozdovskyi <t.drozdovsky@samsung.com>
Samsung · Oct 27, 2023 · b19fe7b · b19fe7b
1 parent 9b6fd69
commit b19fe7b
Show file tree

Hide file tree

Showing 10 changed files with 72 additions and 14 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,18 +1,32 @@
 version: 2
 updates:
 # Enable version updates for maven
-  - package-ecosystem: "maven"
-    directory: "/"
+  - package-ecosystem: maven
+    directory: /
     # Check for updates once a month
     schedule:
-      interval: "monthly"
+      interval: monthly
     open-pull-requests-limit: 15
 # Enable version updates for Actions
-  - package-ecosystem: "github-actions"
+  - package-ecosystem: github-actions
     # Look for `.github/workflows` in the `root` directory
-    directory: ".github/workflows/"
+    directory: .github/workflows/
     # Check for updates once a month
     schedule:
-      interval: "monthly"
+      interval: monthly
     # Allow up to 15 open pull requests for github-actions dependencies
-    open-pull-requests-limit: 15
+    open-pull-requests-limit: 15
+# Enable version updates for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+    # Allow up to 15 open pull requests for docker dependencies
+    open-pull-requests-limit: 15
+# Enable version updates for Docker
+  - package-ecosystem: npm
+    directory: /frontend
+    schedule:
+      interval: monthly
+    # Allow up to 15 open pull requests for nmp dependencies
+    open-pull-requests-limit: 15
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,6 +18,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
     - name: Set up JDK 11
       uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -19,6 +19,11 @@ jobs:
         language: [ 'java' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 

diff --git a/.github/workflows/findbugs.yml b/.github/workflows/findbugs.yml
@@ -15,6 +15,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
     - name: Set up JDK 11
       uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2

diff --git a/.github/workflows/java-format-checker.yml b/.github/workflows/java-format-checker.yml
@@ -2,13 +2,21 @@ name: Check Java Format
 
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 jobs:
 
   formatting:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3 # v2 minimum required
-      - uses: axel-op/googlejavaformat-action@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: axel-op/googlejavaformat-action@dbff853fb823671ec5781365233bf86543b13215 # v3
         with:
           args: "--aosp --skip-javadoc-formatting --skip-reflowing-long-strings --skip-sorting-imports --replace"
           skip-commit: true

diff --git a/.github/workflows/publish-gh-package.yml b/.github/workflows/publish-gh-package.yml
@@ -10,8 +10,13 @@ jobs:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           java-version: '11'
           distribution: 'temurin'

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -16,6 +16,11 @@ jobs:
   publish:
     runs-on: ubuntu-20.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: Check out the repo
         uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -31,6 +31,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:

diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml
@@ -15,6 +15,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      with:
+        egress-policy: audit
+
+
     - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
     - name: Set up JDK 11
       uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2

diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,12 @@
-FROM node:18 AS frontend
+FROM node:18@sha256:a6385a6bb2fdcb7c48fc871e35e32af8daaa82c518900be49b76d10c005864c2 AS frontend
 
 WORKDIR /frontend
 COPY frontend .
 RUN npm install
 RUN npm run build
 
 # Base image for building lpvs lib
-FROM openjdk:11 AS builder
+FROM openjdk:11@sha256:99bac5bf83633e3c7399aed725c8415e7b569b54e03e4599e580fc9cdb7c21ab AS builder
 
 # Install dependencies
 RUN apt-get update && \
@@ -21,7 +21,7 @@ COPY . .
 RUN mvn clean install
 
 # Base image for running lpvs container
-FROM openjdk:11
+FROM openjdk:11@sha256:99bac5bf83633e3c7399aed725c8415e7b569b54e03e4599e580fc9cdb7c21ab
 
 # Install dependencies and remove tmp files
 RUN apt-get update && \