From ade3668b1cdfa0e3d81fd9cb671dafe821d41347 Mon Sep 17 00:00:00 2001 From: Taras Drozdovskyi Date: Fri, 27 Oct 2023 16:49:58 +0300 Subject: [PATCH] Apply security best practices into workflows and Docker file Signed-off-by: Taras Drozdovskyi --- .github/dependabot.yml | 28 +++++++++++++++++------ .github/workflows/build.yml | 5 ++++ .github/workflows/codeql.yml | 5 ++++ .github/workflows/findbugs.yml | 5 ++++ .github/workflows/java-format-checker.yml | 12 ++++++++-- .github/workflows/publish-gh-package.yml | 9 ++++++-- .github/workflows/publish.yml | 5 ++++ .github/workflows/scorecards.yml | 5 ++++ .github/workflows/test-suite.yml | 6 +++++ Dockerfile | 6 ++--- 10 files changed, 72 insertions(+), 14 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 10c3f567..9881fe2b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,18 +1,32 @@ version: 2 updates: # Enable version updates for maven - - package-ecosystem: "maven" - directory: "/" + - package-ecosystem: maven + directory: / # Check for updates once a month schedule: - interval: "monthly" + interval: monthly open-pull-requests-limit: 15 # Enable version updates for Actions - - package-ecosystem: "github-actions" + - package-ecosystem: github-actions # Look for `.github/workflows` in the `root` directory - directory: ".github/workflows/" + directory: .github/workflows/ # Check for updates once a month schedule: - interval: "monthly" + interval: monthly # Allow up to 15 open pull requests for github-actions dependencies - open-pull-requests-limit: 15 \ No newline at end of file + open-pull-requests-limit: 15 +# Enable version updates for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: monthly + # Allow up to 15 open pull requests for docker dependencies + open-pull-requests-limit: 15 +# Enable version updates for Docker + - package-ecosystem: npm + directory: /frontend + schedule: + interval: monthly + # Allow up to 15 open pull requests for nmp dependencies + open-pull-requests-limit: 15 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 77275f11..917cecbc 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,6 +18,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 + with: + egress-policy: audit + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up JDK 11 uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a34fef81..580bc2a8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,11 @@ jobs: language: [ 'java' ] steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 diff --git a/.github/workflows/findbugs.yml b/.github/workflows/findbugs.yml index b8e25afd..03554e61 100644 --- a/.github/workflows/findbugs.yml +++ b/.github/workflows/findbugs.yml @@ -15,6 +15,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 + with: + egress-policy: audit + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up JDK 11 uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 diff --git a/.github/workflows/java-format-checker.yml b/.github/workflows/java-format-checker.yml index 2dc37c64..2f749272 100644 --- a/.github/workflows/java-format-checker.yml +++ b/.github/workflows/java-format-checker.yml @@ -2,13 +2,21 @@ name: Check Java Format on: [ push, pull_request ] +permissions: + contents: read + jobs: formatting: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 # v2 minimum required - - uses: axel-op/googlejavaformat-action@v3 + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: axel-op/googlejavaformat-action@dbff853fb823671ec5781365233bf86543b13215 # v3 with: args: "--aosp --skip-javadoc-formatting --skip-reflowing-long-strings --skip-sorting-imports --replace" skip-commit: true diff --git a/.github/workflows/publish-gh-package.yml b/.github/workflows/publish-gh-package.yml index b8136ebb..b26589a1 100644 --- a/.github/workflows/publish-gh-package.yml +++ b/.github/workflows/publish-gh-package.yml @@ -10,8 +10,13 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v3 - - uses: actions/setup-java@v3 + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: java-version: '11' distribution: 'temurin' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 75934961..1df23931 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -16,6 +16,11 @@ jobs: publish: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: Check out the repo uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 282e836a..75079310 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.github/workflows/test-suite.yml b/.github/workflows/test-suite.yml index 3eca1416..7a3f5d50 100644 --- a/.github/workflows/test-suite.yml +++ b/.github/workflows/test-suite.yml @@ -15,6 +15,12 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 + with: + egress-policy: audit + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up JDK 11 uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 diff --git a/Dockerfile b/Dockerfile index 008ecac4..b43329a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:18 AS frontend +FROM node:18@sha256:a6385a6bb2fdcb7c48fc871e35e32af8daaa82c518900be49b76d10c005864c2 AS frontend WORKDIR /frontend COPY frontend . @@ -6,7 +6,7 @@ RUN npm install RUN npm run build # Base image for building lpvs lib -FROM openjdk:11 AS builder +FROM openjdk:11@sha256:99bac5bf83633e3c7399aed725c8415e7b569b54e03e4599e580fc9cdb7c21ab AS builder # Install dependencies RUN apt-get update && \ @@ -21,7 +21,7 @@ COPY . . RUN mvn clean install # Base image for running lpvs container -FROM openjdk:11 +FROM openjdk:11@sha256:99bac5bf83633e3c7399aed725c8415e7b569b54e03e4599e580fc9cdb7c21ab # Install dependencies and remove tmp files RUN apt-get update && \