From 398da0f228eb858ac3fcc2f2a39bb6bcb201df31 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Mon, 7 Aug 2023 16:21:20 -0700 Subject: [PATCH] build: Apply security best practices (#749) Co-authored-by: Brain --- .github/dependabot.yml | 5 ++ .github/workflows/ci.yml | 53 +++++++++++---- .github/workflows/codeql.yml | 78 ++++++++++++++++++++++ .github/workflows/construct-vcpkg-info.yml | 9 ++- .github/workflows/dependency-review.yml | 27 ++++++++ .github/workflows/docker.yml | 17 +++-- .github/workflows/documentation-check.yml | 7 +- .github/workflows/documentation.yml | 9 ++- .github/workflows/gitguardian.yml | 9 ++- .github/workflows/scorecard.yml | 5 ++ .github/workflows/sitemap.yml | 5 ++ .github/workflows/stale.yml | 7 +- .github/workflows/target-master.yml | 9 ++- Dockerfile | 2 +- 14 files changed, 211 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5ebf7ccf73..7f772abcd5 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -12,3 +12,8 @@ updates: schedule: interval: "daily" target-branch: "dev" + + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5dc097aad3..790840a3f1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,8 +36,13 @@ jobs: - { arch: 'amd64', os: ubuntu-20.04, cpp-version: g++-8 } steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install apt packages run: sudo sed -i 's/azure\.//' /etc/apt/sources.list && sudo apt update && sudo apt install ${{ matrix.cfg.cpp-version }} ninja-build libsodium-dev libopus-dev zlib1g-dev rpm @@ -73,8 +78,13 @@ jobs: - { arch: 'amd64', os: ubuntu-20.04, cpp-version: g++-9, cmake-flags: '' } steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install apt packages run: sudo sed -i 's/azure\.//' /etc/apt/sources.list && sudo apt update && sudo apt install ${{ matrix.cfg.cpp-version }} ninja-build libsodium-dev libopus-dev zlib1g-dev rpm @@ -93,14 +103,14 @@ jobs: - name: Upload Binary (DEB) if: ${{ matrix.cfg.cpp-version == 'g++-10' }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "libdpp - Debian Package ${{matrix.cfg.arch}}" path: '${{github.workspace}}/build/*.deb' - name: Upload Binary (RPM) if: ${{ matrix.cfg.cpp-version == 'g++-10' }} - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "libdpp - RPM Package ${{matrix.cfg.arch}}" path: '${{github.workspace}}/build/*.rpm' @@ -109,8 +119,13 @@ jobs: name: macOS x64 runs-on: macos-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install homebrew packages run: brew install cmake ninja libsodium opus openssl @@ -142,16 +157,21 @@ jobs: name: "Windows ${{matrix.cfg.name}}-${{matrix.cfg.config}}-vs${{matrix.cfg.vs}}" runs-on: ${{matrix.cfg.os}} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: path: main - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v1.0.2 + uses: microsoft/setup-msbuild@c26a08ba26249b81327e26f6ef381897b6a8754d # v1.0.2 - name: Install chocolatey packages ${{ matrix.cfg.arch}} - uses: seanmiddleditch/gha-setup-ninja@master + uses: seanmiddleditch/gha-setup-ninja@6263846cf3c17009dfc81604efabae16044fc074 # master - name: Generate CMake (x64) if: ${{ matrix.cfg.arch == 'x64' }} @@ -180,7 +200,7 @@ jobs: DONT_RUN_VCPKG: true - name: Upload Binary - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "libdpp - Windows ${{matrix.cfg.name}}-${{matrix.cfg.config}}-vs${{matrix.cfg.vs}}" path: '${{github.workspace}}/main/build/*.zip' @@ -198,8 +218,13 @@ jobs: name: ${{matrix.cfg.name}} runs-on: ${{matrix.cfg.os}} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Install Packages run: sudo sed -i 's/azure\.//' /etc/apt/sources.list && sudo apt update && sudo apt install cmake ninja-build rpm @@ -214,13 +239,13 @@ jobs: run: cd build && cpack --verbose - name: Upload Binaries (DEB) - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "libdpp - Debian Package ${{matrix.cfg.name}}" path: "${{github.workspace}}/build/*.deb" - name: Upload Binaries (RPM) - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: name: "libdpp - RPM Package ${{matrix.cfg.name}}" path: "${{github.workspace}}/build/*.rpm" @@ -229,7 +254,7 @@ jobs: # runs-on: macos-10.15 # name: FreeBSD (g++-10) # steps: -# - uses: actions/checkout@v3 +# - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 # - name: FreeBSD Build and Package # id: freebsdtest # uses: vmactions/freebsd-vm@v0.1.5 @@ -247,7 +272,7 @@ jobs: # cpack --verbose # # - name: Upload Binaries (BZ2) -# uses: actions/upload-artifact@v3 +# uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 # with: # name: "libdpp - FreeBSD x64" # path: "${{github.workspace}}/build/*.tar.bz2" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000000..5a8cdd3d34 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,78 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["master"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["master"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["cpp"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/construct-vcpkg-info.yml b/.github/workflows/construct-vcpkg-info.yml index e8908fb825..45a063fe55 100644 --- a/.github/workflows/construct-vcpkg-info.yml +++ b/.github/workflows/construct-vcpkg-info.yml @@ -9,13 +9,18 @@ jobs: Collect-Vcpkg-Info: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@72ae4ccbe57f82bbe08411e84e2130bd4ba1c10f # v2 with: php-version: '8.1' - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: submodules: recursive diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..7b5e511880 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 7360422568..0b4e6d1757 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -15,34 +15,39 @@ jobs: group: docker-deployment cancel-in-progress: false steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Set up QEMU - uses: docker/setup-qemu-action@v1 + uses: docker/setup-qemu-action@27d0a4f181a40b142cce983c5393082c365d1480 # v1.2.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@f211e3e9ded2d9377c8cadc4489a4e38014bc4c9 # v1.7.0 - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - uses: docker/login-action@v1 + uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1.14.1 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push - uses: docker/build-push-action@v2 + uses: docker/build-push-action@ac9327eae2b366085ac7f6a2d02df8aa8ead720a # v2.10.0 with: push: true tags: brainboxdotcc/dpp - # copy multiplatform image from dockerhub to ghcr name: Push Image to multiple registries - uses: akhilerm/tag-push-action@v2.0.0 + uses: akhilerm/tag-push-action@f973043dc002b8e5a772c53e79441e6e1861e874 # v2.0.0 with: src: docker.io/brainboxdotcc/dpp:latest dst: | diff --git a/.github/workflows/documentation-check.yml b/.github/workflows/documentation-check.yml index 71e2046965..54a77e6e26 100644 --- a/.github/workflows/documentation-check.yml +++ b/.github/workflows/documentation-check.yml @@ -18,8 +18,13 @@ jobs: runs-on: ubuntu-20.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Check docs spelling run: npx -y cspell lint --language-id=cpp --no-progress --no-summary --show-context --show-suggestions --relative --color docpages/*.md include/dpp/*.h diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index fce9ea45bc..c919c1bdf8 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -19,13 +19,18 @@ jobs: cancel-in-progress: false steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@72ae4ccbe57f82bbe08411e84e2130bd4ba1c10f # v2 with: php-version: '8.0' - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: submodules: recursive diff --git a/.github/workflows/gitguardian.yml b/.github/workflows/gitguardian.yml index e3abf8bf7b..81b8fd9b95 100644 --- a/.github/workflows/gitguardian.yml +++ b/.github/workflows/gitguardian.yml @@ -7,12 +7,17 @@ jobs: name: GitGuardian scan runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: fetch-depth: 0 # fetch all history so multiple commits can be scanned - name: GitGuardian scan - uses: GitGuardian/ggshield-action@master + uses: GitGuardian/ggshield-action@e1e79d4024761c6d9c55735e95cb3b0039a59a9e # master env: GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 20b4c09562..d3d538bbde 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.github/workflows/sitemap.yml b/.github/workflows/sitemap.yml index 62f2198bfa..fe9a0aeb45 100644 --- a/.github/workflows/sitemap.yml +++ b/.github/workflows/sitemap.yml @@ -13,6 +13,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Checkout github pages repository run: git config --global user.email "robot@dpp.dev" && git config --global user.name "D++ Sitemap Updater Bot" && git clone https://braindigitalis:$PERSONAL_ACCESS_TOKEN@github.com/brainboxdotcc/dpp-web.git /home/runner/dpp-web env: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index a4de1774e0..d5e4856260 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,12 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v4 + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + + - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4.1.1 with: stale-issue-message: 'This issue has had no activity and is being marked as stale. If you still wish to continue with this issue please comment to reopen it.' stale-pr-message: 'This pull request has had no activity and is being marked as stale. If you still wish to continue with this pull request please comment to reopen it.' diff --git a/.github/workflows/target-master.yml b/.github/workflows/target-master.yml index 790a8bff2a..5961cb0d27 100644 --- a/.github/workflows/target-master.yml +++ b/.github/workflows/target-master.yml @@ -14,13 +14,18 @@ jobs: cancel-in-progress: true steps: + - name: Harden Runner + uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0 + with: + egress-policy: audit + - name: Setup PHP - uses: shivammathur/setup-php@v2 + uses: shivammathur/setup-php@72ae4ccbe57f82bbe08411e84e2130bd4ba1c10f # v2 with: php-version: '8.0' - name: Checkout D++ - uses: actions/checkout@v3 + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 with: submodules: recursive diff --git a/Dockerfile b/Dockerfile index c47e4e1a35..0bd89cb9c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:focal +FROM ubuntu:focal@sha256:33a5cc25d22c45900796a1aca487ad7a7cb09f09ea00b779e3b2026b4fc2faba ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install --no-install-recommends -y libssl-dev zlib1g-dev libsodium-dev libopus-dev cmake pkg-config g++ gcc git make && apt-get clean && rm -rf /var/lib/apt/lists/*