From 95b827d9ebbaae394324e0f9ec83e85e1e8f6567 Mon Sep 17 00:00:00 2001 From: Daniel Muehlbachler-Pietrzykowski Date: Mon, 28 Oct 2024 10:54:39 +0100 Subject: [PATCH] chore: introduce repository and project security scanning --- .github/workflows/dependency_review.yml | 22 +++++++++ .github/workflows/release.yml | 26 ++++++----- .github/workflows/scorecard.yml | 59 +++++++++++++++++++++++++ .github/workflows/verify.yml | 37 ++++++++++------ .pre-commit-config.yaml | 14 +++++- README.md | 1 + 6 files changed, 131 insertions(+), 28 deletions(-) create mode 100644 .github/workflows/dependency_review.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/dependency_review.yml b/.github/workflows/dependency_review.yml new file mode 100644 index 0000000..e580054 --- /dev/null +++ b/.github/workflows/dependency_review.yml @@ -0,0 +1,22 @@ +--- +name: Dependency Review + +on: + pull_request: + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + name: Dependency Review + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2.2.2 + + - uses: actions/dependency-review-action@a6993e2c61fd5dc440b409aa1d6904921c5e1894 # v4.3.5 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 91a47b7..0266042 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,6 @@ on: permissions: contents: read - pull-requests: read jobs: release: @@ -22,7 +21,11 @@ jobs: pull-requests: write steps: - - uses: google-github-actions/release-please-action@v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1 id: release container: @@ -36,19 +39,19 @@ jobs: packages: write steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - - name: Setup QEMU - uses: docker/setup-qemu-action@v3 - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - - name: Login to ghcr.io - uses: docker/login-action@v3 + - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -64,8 +67,7 @@ jobs: PGVECTO_FROM_TAG=$(echo $PGVECTO_IMAGE | cut -d'-' -f4) echo "pgvecto=${PGVECTO_FROM_TAG}" >> "$GITHUB_OUTPUT" - - name: Build and Push Image - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..65c1373 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,59 @@ +--- +name: Scorecard Security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: + - main + workflow_dispatch: + +permissions: read-all + +jobs: + analysis: + runs-on: ubuntu-latest + name: Scorecard Analysis + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + # To allow GraphQL ListCommits to work + issues: read + pull-requests: read + # To detect SAST tools + checks: read + + steps: + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2.2.2 + with: + persist-credentials: false + + - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: Scorecard Analysis + path: results.sarif + retention-days: 5 + + - uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index ffda363..8898302 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -8,17 +8,24 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: conform: runs-on: ubuntu-latest name: Conform steps: - - uses: actions/checkout@v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - - uses: siderolabs/conform@v0.1.0-alpha.27 + - uses: siderolabs/conform@6380738b7fdfc68b208ce0674c4ac1ba314ba600 # v0.1.0-alpha.27 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -27,13 +34,15 @@ jobs: name: Lint Dockerfile steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 - - name: Lint Dockerfile - uses: hadolint/hadolint-action@v3.1.0 + - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: Dockerfile @@ -42,16 +51,17 @@ jobs: name: Build Container Image steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - - name: Setup QEMU - uses: docker/setup-qemu-action@v3 - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 + - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 - name: Get Upstream Tags id: from_tag @@ -63,8 +73,7 @@ jobs: PGVECTO_FROM_TAG=$(echo $PGVECTO_IMAGE | cut -d'-' -f4) echo "pgvecto=${PGVECTO_FROM_TAG}" >> "$GITHUB_OUTPUT" - - name: Build Image - uses: docker/build-push-action@v6 + - uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 with: context: . platforms: linux/amd64,linux/arm64 diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e79c2f8..b1b3c88 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,12 +7,14 @@ repos: stages: - commit-msg - repo: https://github.com/hadolint/hadolint - rev: v2.13.0-beta + rev: v2.13.1-beta hooks: - id: hadolint - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.6.0 + rev: v5.0.0 hooks: + - id: end-of-file-fixer + - id: trailing-whitespace - id: check-json - id: check-merge-conflict - id: check-symlinks @@ -34,3 +36,11 @@ repos: # "--branch", # "next" # ] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.21.1 + hooks: + - id: gitleaks + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck diff --git a/README.md b/README.md index 4422445..5f6b03f 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,7 @@ [![](https://img.shields.io/github/license/muhlba91/postgresql-pgvecto-container?style=for-the-badge)](LICENSE) [![](https://img.shields.io/github/actions/workflow/status/muhlba91/postgresql-pgvecto-container/release.yml?style=for-the-badge)](https://github.com/muhlba91/postgresql-pgvecto-container/actions/workflows/release.yml) +[![](https://api.scorecard.dev/projects/github.com/muhlba91/postgresql-pgvecto-container/badge?style=for-the-badge)](https://scorecard.dev/viewer/?uri=github.com/muhlba91/postgresql-pgvecto-container) [![](https://img.shields.io/github/v/tag/muhlba91/postgresql-pgvecto-container?style=for-the-badge)](https://github.com/muhlba91/postgresql-pgvecto-container/releases) [![](https://img.shields.io/github/release-date/muhlba91/postgresql-pgvecto-container?style=for-the-badge)](https://github.com/muhlba91/postgresql-pgvecto-container/releases) Buy Me A Coffee