From fcb9dd967cc04209053a9a88943e4e51e1668b29 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 3 Jan 2025 22:39:33 +0100 Subject: [PATCH 01/12] enh: zizmor for gha analysis --- .github/workflows/github-actions-analyzer.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/github-actions-analyzer.yml diff --git a/.github/workflows/github-actions-analyzer.yml b/.github/workflows/github-actions-analyzer.yml new file mode 100644 index 0000000..dd1b881 --- /dev/null +++ b/.github/workflows/github-actions-analyzer.yml @@ -0,0 +1,38 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: + - main + pull_request: + branches: + - main +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + # contents: read + # actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From 0e6a24914029a2ecedfc19e8acf90c46adea686e Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 3 Jan 2025 22:45:38 +0100 Subject: [PATCH 02/12] enh: zizmor for gha analysis --- .github/workflows/github-actions-analyzer.yml | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/github-actions-analyzer.yml b/.github/workflows/github-actions-analyzer.yml index dd1b881..0b9db68 100644 --- a/.github/workflows/github-actions-analyzer.yml +++ b/.github/workflows/github-actions-analyzer.yml @@ -13,26 +13,25 @@ jobs: runs-on: ubuntu-latest permissions: security-events: write - # required for workflows in private repositories - # contents: read - # actions: read steps: - - name: Checkout repository - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + # v4.2.2 with: + fetch-depth: 0 persist-credentials: false - name: Install the latest version of uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a + # v5.1.0 - name: Run zizmor 🌈 run: uvx zizmor --format sarif . > results.sarif - env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 + # v2.19.0 with: sarif_file: results.sarif category: zizmor From a9295c943eba2c88ad86d41f3a79391cd3f7d4e6 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 3 Jan 2025 22:49:27 +0100 Subject: [PATCH 03/12] fix: alerts --- .github/workflows/docker-build-and-push.yml | 3 +++ .github/workflows/gitleaks.yml | 1 + .github/workflows/go-ci.yml | 2 ++ .github/workflows/go-security-scan.yml | 1 + .github/workflows/infra-security-scan.yml | 2 ++ .github/workflows/local-auto-tagger.yml | 3 +++ .github/workflows/python-ci.yml | 1 + .github/workflows/rust-ci.yml | 4 ++++ 8 files changed, 17 insertions(+) diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 41b9f74..39329a3 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -83,6 +83,9 @@ jobs: ${{ inputs.egress-policy-allowlist }} - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 7793c80..519cb7f 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -31,6 +31,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: gitleaks uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3 # v2.3.7 diff --git a/.github/workflows/go-ci.yml b/.github/workflows/go-ci.yml index d88178d..780ea68 100644 --- a/.github/workflows/go-ci.yml +++ b/.github/workflows/go-ci.yml @@ -44,6 +44,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: @@ -82,6 +83,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Go uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 diff --git a/.github/workflows/go-security-scan.yml b/.github/workflows/go-security-scan.yml index fc97fea..e46b049 100644 --- a/.github/workflows/go-security-scan.yml +++ b/.github/workflows/go-security-scan.yml @@ -41,6 +41,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Run Gosec Security Scanner # kics-scan ignore-line uses: securego/gosec@master diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 485e3bf..944eeb6 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -45,6 +45,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Kics Scan uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16 # v2.1.3 @@ -88,6 +89,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 with: diff --git a/.github/workflows/local-auto-tagger.yml b/.github/workflows/local-auto-tagger.yml index d7ee00b..916fccb 100644 --- a/.github/workflows/local-auto-tagger.yml +++ b/.github/workflows/local-auto-tagger.yml @@ -26,6 +26,9 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false - name: Get changed files for each workflow and action id: changed-files uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366 diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml index b352f74..e0223a7 100644 --- a/.github/workflows/python-ci.yml +++ b/.github/workflows/python-ci.yml @@ -44,6 +44,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.2.1 with: diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml index 217a1b7..4e5d408 100644 --- a/.github/workflows/rust-ci.yml +++ b/.github/workflows/rust-ci.yml @@ -54,6 +54,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -84,6 +85,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -118,6 +120,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - name: Cargo cache uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 @@ -169,6 +172,7 @@ jobs: # v4.2.2 with: fetch-depth: 0 + persist-credentials: false - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: From 290f75f3d5d71772225717ce747150932d626312 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 3 Jan 2025 22:51:51 +0100 Subject: [PATCH 04/12] fix: alerts --- .github/workflows/github-actions-analyzer.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/github-actions-analyzer.yml b/.github/workflows/github-actions-analyzer.yml index 0b9db68..ae6945d 100644 --- a/.github/workflows/github-actions-analyzer.yml +++ b/.github/workflows/github-actions-analyzer.yml @@ -14,6 +14,11 @@ jobs: permissions: security-events: write steps: + - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f + # v2.10.2 + with: + disable-sudo: true + egress-policy: audit - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From 3144adecdc76d17b15539f7000e50d250e30a228 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Fri, 3 Jan 2025 22:54:14 +0100 Subject: [PATCH 05/12] fix: enforce egress policy --- .github/workflows/github-actions-analyzer.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/github-actions-analyzer.yml b/.github/workflows/github-actions-analyzer.yml index ae6945d..462f30f 100644 --- a/.github/workflows/github-actions-analyzer.yml +++ b/.github/workflows/github-actions-analyzer.yml @@ -18,7 +18,13 @@ jobs: # v2.10.2 with: disable-sudo: true - egress-policy: audit + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: From 05f2873119bcc5f6a1239cb1ba1a9e9362440662 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:33:02 +0100 Subject: [PATCH 06/12] fix: alerts --- .github/workflows/infra-security-scan.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 944eeb6..3caa09f 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -106,7 +106,8 @@ jobs: continue-on-error: true run: | go install github.com/mrtazz/checkmake/cmd/checkmake@latest - CHECKMAKE_OUTPUT=$(checkmake ${{ steps.find-files.outputs.FILES }} --debug) + FILES="${{ steps.find-files.outputs.FILES }}" + CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug) echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT shell: bash - name: PR comment with file From 3782b155878d988e78d187e93eaa7d3ac54e09dc Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:40:31 +0100 Subject: [PATCH 07/12] fix: alerts --- .github/workflows/infra-security-scan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 3caa09f..19ac5e3 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -99,14 +99,13 @@ jobs: run: | FILES=$(find . -iname "Makefile" -o -iname "GNUmakefile" -o -iname "*.mk" -o -iname "*.make") echo "$FILES" > "$GITHUB_WORKSPACE/files.txt" - echo "FILES=$FILES" >> $GITHUB_OUTPUT + echo "FILES=$FILES" >> $GITHUB_ENV shell: bash - if: steps.find-files.outputs.FILES != '' id: scan-files continue-on-error: true run: | go install github.com/mrtazz/checkmake/cmd/checkmake@latest - FILES="${{ steps.find-files.outputs.FILES }}" CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug) echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT shell: bash From 0945643714f5b323de16196a083dcf5cab72d02c Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:42:26 +0100 Subject: [PATCH 08/12] fix: alerts --- .github/workflows/infra-security-scan.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 19ac5e3..225a394 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -99,15 +99,17 @@ jobs: run: | FILES=$(find . -iname "Makefile" -o -iname "GNUmakefile" -o -iname "*.mk" -o -iname "*.make") echo "$FILES" > "$GITHUB_WORKSPACE/files.txt" - echo "FILES=$FILES" >> $GITHUB_ENV + echo "FILES=$FILES" >> $GITHUB_OUTPUT shell: bash - if: steps.find-files.outputs.FILES != '' id: scan-files continue-on-error: true run: | - go install github.com/mrtazz/checkmake/cmd/checkmake@latest + go install github.com/mrtazz/checkmake/cmd/checkmake@latest CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug) echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT + env: + FILES: ${{ steps.find-files.outputs.FILES }} shell: bash - name: PR comment with file if: github.event_name == 'pull_request' && steps.scan-files.outputs.CHECKMAKE_OUTPUT != '' From 5177f719b8e5e1634951171024b2483a6de9fa33 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:42:59 +0100 Subject: [PATCH 09/12] fix: alerts --- .github/workflows/infra-security-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 225a394..5dfcfc1 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -105,7 +105,7 @@ jobs: id: scan-files continue-on-error: true run: | - go install github.com/mrtazz/checkmake/cmd/checkmake@latest + go install github.com/mrtazz/checkmake/cmd/checkmake@latest CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug) echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT env: From 66f729812f03c7078ca08967ded51ac50f40dcc6 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:45:09 +0100 Subject: [PATCH 10/12] fix: alerts --- .github/workflows/docker-build-and-push.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index 39329a3..d01c7a0 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -89,6 +89,8 @@ jobs: - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 + with: + cache-binary: false # v3.7.1 - name: Log in to the Container registry uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 From 3b1d86e577ce558ebadf9ad9126d9d4d14bea557 Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:48:21 +0100 Subject: [PATCH 11/12] fix: alerts --- .github/workflows/docker-build-and-push.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index d01c7a0..983e333 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -51,15 +51,13 @@ on: registry-password: required: true -permissions: - id-token: write - packages: write - contents: read - attestations: write - security-events: write - jobs: build-and-push-image: + permissions: + packages: write + contents: read + attestations: write + security-events: write name: Docker build and push runs-on: ${{ inputs.runs-on }} steps: From f3345202d225cb19b78f489786d3bfa0fcb0c0bf Mon Sep 17 00:00:00 2001 From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:54:19 +0100 Subject: [PATCH 12/12] reusable wf --- .github/workflows/github-actions-analyzer.yml | 48 ------------------- .github/workflows/infra-security-scan.yml | 42 +++++++++++++++- 2 files changed, 40 insertions(+), 50 deletions(-) delete mode 100644 .github/workflows/github-actions-analyzer.yml diff --git a/.github/workflows/github-actions-analyzer.yml b/.github/workflows/github-actions-analyzer.yml deleted file mode 100644 index 462f30f..0000000 --- a/.github/workflows/github-actions-analyzer.yml +++ /dev/null @@ -1,48 +0,0 @@ -name: GitHub Actions Security Analysis with zizmor 🌈 - -on: - push: - branches: - - main - pull_request: - branches: - - main -jobs: - zizmor: - name: zizmor latest via PyPI - runs-on: ubuntu-latest - permissions: - security-events: write - steps: - - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f - # v2.10.2 - with: - disable-sudo: true - egress-policy: block - allowed-endpoints: > - api.github.com:443 - files.pythonhosted.org:443 - github.com:443 - objects.githubusercontent.com:443 - pypi.org:443 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - # v4.2.2 - with: - fetch-depth: 0 - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a - # v5.1.0 - - - name: Run zizmor 🌈 - run: uvx zizmor --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 - # v2.19.0 - with: - sarif_file: results.sarif - category: zizmor diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml index 5dfcfc1..b67b003 100644 --- a/.github/workflows/infra-security-scan.yml +++ b/.github/workflows/infra-security-scan.yml @@ -24,6 +24,8 @@ jobs: infra-security-scan: name: Scan with Kics runs-on: ${{ inputs.runs-on }} + permissions: + security-events: write defaults: run: working-directory: ${{ inputs.working-directory }} @@ -51,7 +53,7 @@ jobs: # v2.1.3 with: path: . - output_path: ${{ inputs.working-directory }}/results.sarif + output_path: ${{ inputs.working-directory }}/kics_results.sarif output_formats: sarif fail_on: high,medium token: ${{ github.token }} @@ -63,7 +65,43 @@ jobs: uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 # v2.19.0 with: - sarif_file: ${{ inputs.working-directory }}/results.sarif + sarif_file: ${{ inputs.working-directory }}/kics_results.sarif + + zizmor: + name: zizmor GitHub Actions Security Analysis + runs-on: ${{ inputs.runs-on }} + permissions: + security-events: write + steps: + - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f + # v2.10.2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + files.pythonhosted.org:443 + github.com:443 + objects.githubusercontent.com:443 + pypi.org:443 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + # v4.2.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Install the latest version of uv + uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a + # v5.1.0 + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > zizmor_results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 + # v2.19.0 + with: + sarif_file: zizmor_results.sarif + category: zizmor checkmake: name: Check Makefile