From 4dd99922ffc592fcd0d57747b42e06e40dd2ab0f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 24 Feb 2026 01:42:33 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 5 ++++ .github/workflows/codeql.yml | 5 ++++ .github/workflows/deny.yml | 5 ++++ .github/workflows/dependency-review.yml | 27 +++++++++++++++++++ .github/workflows/format.yml | 10 +++++++ .github/workflows/fuzz.yml | 5 ++++ .github/workflows/integration-emu.yml | 5 ++++ .github/workflows/integration-tdx.yml | 10 +++++++ .github/workflows/library.yml | 5 ++++ .github/workflows/main.yml | 5 ++++ .github/workflows/oss-fuzz.yml | 5 ++++ .github/workflows/scorecard.yml | 5 ++++ .github/workflows/trivy.yml | 5 ++++ .github/workflows/weekly-cargo-update.yml | 11 +++++--- .../workflows/weekly-collateral-update.yml | 13 ++++++--- .pre-commit-config.yaml | 18 +++++++++++++ 16 files changed, 132 insertions(+), 7 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 19c03faf..00632063 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,8 @@ updates: directory: /container schedule: interval: daily + + - package-ecosystem: cargo + directory: /deps/td-shim-AzCVMEmu/azcvm-extract-report + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0107a332..bd52bc23 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -40,6 +40,11 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index 4be64bc2..ca4edf06 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -25,6 +25,11 @@ jobs: continue-on-error: ${{ matrix.checks == 'sources' }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..c7a7acb1 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 555f49c3..c37103cd 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -20,6 +20,11 @@ jobs: security-events: write actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -74,6 +79,11 @@ jobs: steps: # Install first since it's needed to build NASM + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Install LLVM and Clang uses: KyleMayes/install-llvm-action@ebc0426251bc40c7cd31162802432c68818ab8f0 # v2.0.9 with: diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index c2bae7dc..cf58bb0c 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -30,6 +30,11 @@ jobs: timeout-minutes: 30 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: recursive diff --git a/.github/workflows/integration-emu.yml b/.github/workflows/integration-emu.yml index bcc56ed6..6a1c8fbf 100644 --- a/.github/workflows/integration-emu.yml +++ b/.github/workflows/integration-emu.yml @@ -51,6 +51,11 @@ jobs: artifact-name: "policy-v2-igvm-test-logs" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/integration-tdx.yml b/.github/workflows/integration-tdx.yml index 27c70a41..500683e0 100644 --- a/.github/workflows/integration-tdx.yml +++ b/.github/workflows/integration-tdx.yml @@ -36,6 +36,11 @@ jobs: # - name: Install tools for sgx lib # run: sudo dnf group install 'Development Tools' | sudo dnf --enablerepo=powertools install ocaml ocaml-ocamlbuild wget rpm-build pkgcon + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Clean test repository run: | sudo rm -rf sh_script/test/ @@ -89,6 +94,11 @@ jobs: runs-on: [self-hosted, tdx] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Clean test repository run: | sudo rm -rf sh_script/test/ diff --git a/.github/workflows/library.yml b/.github/workflows/library.yml index 5be83c37..23270baf 100644 --- a/.github/workflows/library.yml +++ b/.github/workflows/library.yml @@ -26,6 +26,11 @@ jobs: timeout-minutes: 30 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 92d09f7f..39c90639 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -29,6 +29,11 @@ jobs: protocol: [tls, spdm] build_type: [release, debug] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout sources uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/oss-fuzz.yml b/.github/workflows/oss-fuzz.yml index c5bc51c2..53bb2ec1 100644 --- a/.github/workflows/oss-fuzz.yml +++ b/.github/workflows/oss-fuzz.yml @@ -7,6 +7,11 @@ jobs: permissions: security-events: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Build Fuzzers id: build uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@1bdba6f59f138b9d224f18806921b79420eac145 # master diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fb908a82..178c11be 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index c91b143e..f3448d02 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -26,6 +26,11 @@ jobs: name: Build runs-on: "ubuntu-latest" steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.github/workflows/weekly-cargo-update.yml b/.github/workflows/weekly-cargo-update.yml index 799fb3bf..45486d7c 100644 --- a/.github/workflows/weekly-cargo-update.yml +++ b/.github/workflows/weekly-cargo-update.yml @@ -12,13 +12,18 @@ jobs: update: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install rust - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: ${{ env.RUST_TOOLCHAIN }} @@ -29,7 +34,7 @@ jobs: run: cargo update - name: Create Pull Request - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: "chore: weekly cargo update" title: "chore: weekly cargo update" diff --git a/.github/workflows/weekly-collateral-update.yml b/.github/workflows/weekly-collateral-update.yml index b610fea9..ffaf6db7 100644 --- a/.github/workflows/weekly-collateral-update.yml +++ b/.github/workflows/weekly-collateral-update.yml @@ -9,13 +9,18 @@ jobs: generate-collateral-policy: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 + with: + egress-policy: audit + - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: recursive - name: Install rust - uses: dtolnay/rust-toolchain@master + uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # master with: toolchain: 1.88.0 @@ -44,7 +49,7 @@ jobs: run: ./target/release/migtd-policy-generator -o config/policy_pre_production_fmspc.json --pre-production - name: Create Pull Request for Collateral - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: "chore: update collateral files" title: "chore: update collateral files" @@ -58,7 +63,7 @@ jobs: config/collateral_pre_production_fmspc.json - name: Create Pull Request for Policy - uses: peter-evans/create-pull-request@v8 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: commit-message: "chore: update policy v1 files" title: "chore: update policy files" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..0ef0fe84 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint