[StepSecurity] Apply security best practices #313
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| # Dependency Review Action | ||
| # | ||
| # This Action will scan dependency manifest files that change as part of a Pull Request, | ||
| # surfacing known-vulnerable versions of the packages declared or updated in the PR. | ||
| # Once installed, if the workflow run is marked as required, | ||
| # PRs introducing known-vulnerable packages will be blocked from merging. | ||
| # | ||
| # Source repository: https://github.com/actions/dependency-review-action | ||
| name: 'Dependency Review' | ||
| on: [pull_request] | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| dependency-review: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 | ||
| with: | ||
| egress-policy: audit | ||
|
|
||
| - name: 'Checkout Repository' | ||
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | ||
| - name: 'Dependency Review' | ||
| uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 | ||
|
There was a problem hiding this comment. [High]Pin dependencies and update the pin regularly based on security bulletin updates Dependence libraries should be pinned down to an exact version to ensure the integrity of the packages. This decreases the risk of package managers downloading malicious packages from a compromised mirror. Fix any vulnerabilities identified by the tool and specify dependencies using an exact version number rather than a version range. |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| repos: | ||
| - repo: https://github.com/gitleaks/gitleaks | ||
|
There was a problem hiding this comment. [High]Ensure pinned versions are used for dependencies in pre-commit hooks The pre-commit hooks configuration includes several dependency repositories, but their versions are not pinned, allowing for non-reproducible builds and potential for unexpected behavior. Update each dependency to use a pinned version, or specify a version range to allow for patch updates. |
||
| rev: v8.16.3 | ||
| hooks: | ||
| - id: gitleaks | ||
|
There was a problem hiding this comment. [Low]Order the hooks in pre-commit by the repository they belong to Organizing the hooks by repository helps ensure the code being checked is isolated from each other and can avoid conflicts. In addition, it can help in case we need to update one repository's hooks, we can reference all hooks under that repository. Group hooks together in the order of their repository specifying the repository name. In this case, it can be sorted as: gitleaks, eslint, end-of-file-fixer and trailing-whitespace. |
||
| - repo: https://github.com/pre-commit/mirrors-eslint | ||
|
There was a problem hiding this comment. [Medium]Ensure that the pre-commit hook dependencies are obtained only from reliable sources The pre-commit hook configuration includes URLs for external dependencies. Fetching dependencies from untrusted sources could introduce malicious code into the repository. Use only vetted, secure sources for third-party dependencies. There was a problem hiding this comment. [Medium]Specify Git commit SHAs for version control Configuring pre-commit to use the latest version of a tool may lead to version inconsistency between users or results that can not be reproduced in the future. Specify Git commit SHAs and update only after thorough testing has been performed. |
||
| rev: v8.38.0 | ||
| hooks: | ||
| - id: eslint | ||
|
There was a problem hiding this comment. [Low]Pin hook versions to maintain consistency in the future Pinning the hook versions ensures consistent behavior across all pre-commit hook runs, regardless of future changes to the hooks. Update each hook configuration to use the latest version at the time of editing or to use a common version among all hooks. |
||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v4.4.0 | ||
| hooks: | ||
| - id: end-of-file-fixer | ||
| - id: trailing-whitespace | ||
|
There was a problem hiding this comment. [Low]Remove unused hooks from pre-commit Unused hooks consume resources during execution and can clutter your pre-commit configuration file. Remove any hooks that are not being used to reduce clutter and increase performance. |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[Low]Add a comment block explaining the functionality of the Dependancy review action
It is always good practice to include a brief comment describing the action and its role in the workflow. Add comment blocks to help maintain the clarity of the source code by describing the functionality and role this action performs in the pipeline configuration