From 262913d3a793b5aa4564983c4a12a2933de66f3f Mon Sep 17 00:00:00 2001 From: "Kaczmarska, Katarzyna Ewa" Date: Tue, 24 Sep 2024 14:31:51 +0200 Subject: [PATCH] Scorecard fixes --- .github/workflows/autopep8.yml | 8 ++++++++ .github/workflows/bandit.yml | 8 ++++++++ .github/workflows/codeql.yml | 18 +++++++++++++----- .github/workflows/scorecard.yml | 5 +++++ 4 files changed, 34 insertions(+), 5 deletions(-) diff --git a/.github/workflows/autopep8.yml b/.github/workflows/autopep8.yml index 74ede84..bb116a6 100644 --- a/.github/workflows/autopep8.yml +++ b/.github/workflows/autopep8.yml @@ -7,10 +7,18 @@ on: # The branches below must be a subset of the branches above branches: [ "main" ] +permissions: + contents: read + jobs: python-code-format: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index d1bdc16..f689983 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -10,12 +10,20 @@ on: - cron: '40 5 * * 5' workflow_dispatch: +permissions: + contents: read + jobs: bandit_scan: runs-on: ubuntu-latest permissions: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Perform Bandit Analysis uses: PyCQA/bandit-action@8a1b30610f61f3f792fe7556e888c9d7dffa52de # v1.0.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 822cb09..876050a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '25 0 * * 2' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -54,12 +57,17 @@ jobs: # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -87,16 +95,16 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8 with: category: "/language:${{matrix.language}}" - name: Generate Security Report - uses: rsdmike/github-security-report-action@v3.0.4 + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 with: template: report token: ${{ secrets.AI_PC_NOTEBOOKS_TOKEN }} - name: GitHub Upload Release Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: name: report path: | diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 41e9ed9..629e667 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -19,6 +19,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 with: