[StepSecurity] Apply security best practices (#63)

Signed-off-by: StepSecurity Bot <[email protected]> Co-authored-by: Ivan Gabaldon <[email protected]>
JSPaste · Jan 25, 2024 · 89001ab · 89001ab
1 parent f8a1d2b
commit 89001ab
Show file tree

Hide file tree

Showing 8 changed files with 139 additions and 90 deletions.
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -9,6 +9,9 @@ concurrency:
     group: '${{ github.workflow }}-${{ github.ref }}'
     cancel-in-progress: true
 
+permissions:
+    contents: read
+
 jobs:
     build:
         name: 'Build container image'
@@ -23,6 +26,11 @@ jobs:
             IMAGE_TAG: 'experimental ${{ github.sha }}'
 
         steps:
+            - name: 'Harden Runner'
+              uses: step-security/harden-runner@v2
+              with:
+                  egress-policy: audit
+
             - name: 'Checkout'
               uses: actions/checkout@v4
 

diff --git a/.github/workflows/prettify.yml b/.github/workflows/prettify.yml
diff --git a/.github/workflows/security-dependencies.yml b/.github/workflows/security-dependencies.yml
@@ -0,0 +1,22 @@
+# TODO: Experimental feature
+name: 'CI/Security-Dependencies'
+on: [pull_request]
+
+permissions:
+    contents: read
+
+jobs:
+    dependency-review:
+        name: 'Dependency analysis'
+        runs-on: ubuntu-latest
+        steps:
+            - name: 'Harden Runner'
+              uses: step-security/harden-runner@v2
+              with:
+                  egress-policy: audit
+
+            - name: 'Checkout'
+              uses: actions/checkout@v4
+
+            - name: 'Dependency Review'
+              uses: actions/dependency-review-action@v4
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -1,17 +1,51 @@
-# TODO: Experimental feature
 name: 'CI/Security'
 on:
     schedule:
-        - cron: '44 1 * * 0'
+        - cron: '33 3 * * 1'
     push:
         branches: ['dev']
         paths-ignore:
             - '*.md'
             - '.*ignore'
+    pull_request:
+        branches: ['dev']
+        paths-ignore:
+            - '*.md'
+            - '.*ignore'
 
 permissions: read-all
 
 jobs:
+    codeql:
+        name: 'CodeQL analysis'
+        runs-on: ubuntu-latest
+        permissions:
+            security-events: write
+
+        strategy:
+            fail-fast: false
+            matrix:
+                language: ['javascript', 'typescript']
+
+        steps:
+            - name: 'Harden Runner'
+              uses: step-security/harden-runner@v2
+              with:
+                  egress-policy: audit
+
+            - name: 'Checkout'
+              uses: actions/checkout@v4
+
+            - name: 'Setup CodeQL'
+              uses: github/codeql-action/init@v3
+              with:
+                  languages: '${{ matrix.language }}'
+
+            - name: 'Run analysis'
+              uses: github/codeql-action/analyze@v3
+              with:
+                  category: '/language:${{matrix.language}}'
+
     scoreboard:
         name: 'Scorecard analysis'
         runs-on: ubuntu-latest
@@ -20,6 +54,11 @@ jobs:
             id-token: write
 
         steps:
+            - name: 'Harden Runner'
+              uses: step-security/harden-runner@v2
+              with:
+                  egress-policy: audit
+
             - name: 'Checkout'
               uses: actions/checkout@v4
               with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,14 +10,19 @@ concurrency:
     group: '${{ github.workflow }}-${{ github.ref }}'
     cancel-in-progress: true
 
+permissions:
+    contents: read
+
 jobs:
     test:
-        name: "Test suite"
+        name: 'Test suite'
         runs-on: ubuntu-latest
-        permissions:
-            contents: read
-
         steps:
+            - name: 'Harden Runner'
+              uses: step-security/harden-runner@v2
+              with:
+                  egress-policy: audit
+
             - name: 'Checkout'
               uses: actions/checkout@v4
               with:

diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -0,0 +1 @@
+pnpm run fix
diff --git a/package.json b/package.json
@@ -10,6 +10,7 @@
 		"fix": "pnpm run prettier && pnpm run lint",
 		"lint": "pnpm run lint:tsc",
 		"lint:tsc": "pnpm exec tsc --noEmit",
+		"prepare": "husky",
 		"prettier": "pnpm exec prettier . --write",
 		"prod": "pnpm run build && pnpm run start",
 		"start": "pnpm exec next start"
@@ -35,6 +36,7 @@
 		"zustand": "^4.5.0"
 	},
 	"devDependencies": {
+		"husky": "^9.0.2",
 		"prettier": "^3.2.4",
 		"prettier-plugin-jsdoc": "^1.3.0",
 		"prettier-plugin-packagejson": "^2.4.9"