[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by Secure Repo at the request of @varunsh-coder. Please merge the Pull Request to incorporate the requested changes. Please tag @varunsh-coder on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Security Fixes

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

• Github Guide about Dependency Review
• Github Guide for Configuring Dependency Review Action

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

• Official Pre-commit documentation
• Getting Started guide

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[step-security-bot]

Please find StepSecurity AI-CodeWise code comments inline or below.

.pre-commit-config.yaml

Please refer to 6 inline comments.

.github/workflows/dependency-review.yml

Please refer to 2 inline comments.

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find a comment helpful, give it a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.

[step-security-bot]

[High]Ensure pinned versions are used for dependencies in pre-commit hooks

The pre-commit hooks configuration includes several dependency repositories, but their versions are not pinned, allowing for non-reproducible builds and potential for unexpected behavior. Update each dependency to use a pinned version, or specify a version range to allow for patch updates.

[step-security-bot]

[Medium]Ensure that the pre-commit hook dependencies are obtained only from reliable sources

The pre-commit hook configuration includes URLs for external dependencies. Fetching dependencies from untrusted sources could introduce malicious code into the repository. Use only vetted, secure sources for third-party dependencies.

[step-security-bot]

[Medium]Specify Git commit SHAs for version control

Configuring pre-commit to use the latest version of a tool may lead to version inconsistency between users or results that can not be reproduced in the future. Specify Git commit SHAs and update only after thorough testing has been performed.

[step-security-bot]

[Low]Pin hook versions to maintain consistency in the future

Pinning the hook versions ensures consistent behavior across all pre-commit hook runs, regardless of future changes to the hooks. Update each hook configuration to use the latest version at the time of editing or to use a common version among all hooks.

[step-security-bot]

[Low]Order the hooks in pre-commit by the repository they belong to

Organizing the hooks by repository helps ensure the code being checked is isolated from each other and can avoid conflicts. In addition, it can help in case we need to update one repository's hooks, we can reference all hooks under that repository. Group hooks together in the order of their repository specifying the repository name. In this case, it can be sorted as: gitleaks, eslint, end-of-file-fixer and trailing-whitespace.

[step-security-bot]

[Low]Remove unused hooks from pre-commit

Unused hooks consume resources during execution and can clutter your pre-commit configuration file. Remove any hooks that are not being used to reduce clutter and increase performance.

[step-security-bot]

[High]Pin dependencies and update the pin regularly based on security bulletin updates

Dependence libraries should be pinned down to an exact version to ensure the integrity of the packages. This decreases the risk of package managers downloading malicious packages from a compromised mirror. Fix any vulnerabilities identified by the tool and specify dependencies using an exact version number rather than a version range.

[step-security-bot]

[Low]Add a comment block explaining the functionality of the Dependancy review action

It is always good practice to include a brief comment describing the action and its role in the workflow. Add comment blocks to help maintain the clarity of the source code by describing the functionality and role this action performs in the pipeline configuration