o

.contentful/vault-secrets.yaml

@@ -0,0 +1,5 @@
+version: 1
+services:
+  github-action:
+    policies:
+      - dependabot

.github/CODEOWNERS

@@ -0,0 +1,4 @@
+* @contentful/team-security
+go.mod
+go.sum
+.github/workflows

.github/workflows/dependabot-approve-and-request-merge.yml

@@ -0,0 +1,15 @@
+name: "dependabot approve-and-request-merge"
+
+on: pull_request_target
+
+jobs:
+  worker:
+    permissions:
+      contents: write
+      id-token: write
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - uses: contentful/github-auto-merge@v1
+        with:
+          VAULT_URL: ${{ secrets.VAULT_URL }}

.github/workflows/docker-image.yaml

@@ -0,0 +1,46 @@
+name: Create and publish a Docker image
+
+on:
+  release:
+    types: [published]
+  # publish on pushes to the main branch (image tagged as "latest")
+  push:
+    branches:
+      - "*"
+  workflow_dispatch:
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/postmerge.yaml

@@ -10,7 +10,7 @@ jobs:
   codeql:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: github/codeql-action/init@v2
       with:
         languages: go
@@ -19,8 +19,8 @@ jobs:
   scorecard:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: ossf/scorecard-action@v2.1.3
+    - uses: actions/checkout@v4
+    - uses: ossf/scorecard-action@v2.2.0
       with:
         results_file: results.sarif
         results_format: sarif

.github/workflows/pr.yaml

@@ -6,7 +6,7 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
         go-version: '1.20'
@@ -17,7 +17,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
         go-version: '1.20'
@@ -26,7 +26,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
         go-version: '1.20'
@@ -36,5 +36,5 @@ jobs:
   dependency-review:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/dependency-review-action@v3

.github/workflows/sast.yaml

@@ -0,0 +1,31 @@
+name: SAST (Static Application Security Testing)
+
+on:
+  push:
+    branches: [master, main]
+  pull_request:
+    branches: [master, main]
+
+jobs:
+  polaris:
+    name: polaris / code-scan
+    continue-on-error: true
+    runs-on: ubuntu-latest
+    if: (github.repository_owner == 'contentful') && (endsWith(github.actor, '[bot]') == false)
+    steps:
+      - name: Clone repo
+        uses: actions/checkout@v4 # v4
+        with:
+          fetch-depth: 0
+
+      - name: Synopsys Polaris
+        uses: contentful/polaris-action@master
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          polaris_url: ${{ secrets.POLARIS_SERVER_URL }}
+          polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }}
+          debug: true
+          polaris_command: analyze -w --coverity-ignore-capture-failure
+          security_gate_filters: '{ "severity": ["High", "Medium"] }'
+          fail_on_error: false
+          report_url: "https://github.com/contentful/security-tools-config/issues/new?title=False%20positive%20in%20Polaris"

Dockerfile

@@ -0,0 +1,20 @@
+# Use the official Go image as the base image
+FROM golang:1.20 AS builder
+
+# Set the working directory
+WORKDIR /ko-app
+
+# Copy the Go application source code
+COPY . .
+
+# Build the Go application
+RUN CGO_ENABLED=0 go build -o allstar ./cmd/allstar
+
+# Use a minimal base image to reduce the image size
+FROM gcr.io/distroless/base-debian10
+
+# Copy the binary from the builder stage to the final image
+COPY --from=builder /ko-app/allstar /ko-app/allstar
+
+# Set the entry point for the final image
+ENTRYPOINT ["/ko-app/allstar"]

README.md

@@ -1,4 +1,4 @@
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/ossf/allstar/badge)](https://api.securityscorecards.dev/projects/github.com/ossf/allstar)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/contentful/allstar/badge)](https://api.securityscorecards.dev/projects/github.com/contentful/allstar)
 
 <img align="right" src="artwork/openssf_allstar_alt.png" width="300" height="400">
 
@@ -268,7 +268,7 @@ The details of how the `fix` action works for each policy is detailed below. If
 
 This policy's config file is named `branch_protection.yaml`, and the [config
 definitions are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/branch#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/branch#OrgConfig).
 
 The branch protection policy checks that GitHub's [branch protection
 settings](https://docs.github.com/en/github/administering-a-repository/defining-the-mergeability-of-pull-requests/about-protected-branches)
@@ -283,7 +283,7 @@ The `fix` action will change the branch protection settings to be in compliance
 
 This policy's config file is named `binary_artifacts.yaml`, and the [config
 definitions are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/binary#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/binary#OrgConfig).
 
 This policy incorporates the [check from
 scorecard](https://github.com/ossf/scorecard/#scorecard-checks). Remove the
@@ -295,7 +295,7 @@ itself](https://github.com/ossf/scorecard) to see all the detailed information.
 
 This policy's config file is named `outside.yaml`, and the [config definitions
 are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/outside#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/outside#OrgConfig).
 
 This policy checks if any [Outside
 Collaborators](https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/adding-outside-collaborators-to-repositories-in-your-organization)
@@ -307,7 +307,7 @@ untrusted members can change admin level settings and commit malicious code.
 
 This policy's config file is named `security.yaml`, and the [config definitions
 are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/security#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/security#OrgConfig).
 
 This policy checks that the repository has a security policy file in
 `SECURITY.md` and that it is not empty. The created issue will have a link to
@@ -319,7 +319,7 @@ that helps you commit a security policy to your repository.
 
 This policy's config file is named `dangerous_workflow.yaml`, and the [config
 definitions are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/workflow#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/workflow#OrgConfig).
 
 This policy checks the GitHub Actions workflow configuration files
 (`.github/workflows`), for any patterns that match known dangerous
@@ -331,7 +331,7 @@ for more information on this check.
 
 This policy's config file is named `scorecard.yaml`, and the [config definitions
 are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/scorecard#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/scorecard#OrgConfig).
 
 This policy runs any scorecard check listed in the `checks` configuration. All
 checks run must have a score equal or above the `threshold` setting. Please see
@@ -343,7 +343,7 @@ for more information on each check.
 
 This policy's config file is named `actions.yaml`, and the [config definitions
 are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/action#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/action#OrgConfig).
 
 This policy checks the GitHub Actions workflow configuration files
 (`.github/workflows`) (and workflow runs in some cases) in each repo to ensure
@@ -354,7 +354,7 @@ organization-level config for the policy.
 
 This policy's config file is named `admin.yaml`, and the [config definitions
 are
-here](https://pkg.go.dev/github.com/ossf/allstar/pkg/policies/admin#OrgConfig).
+here](https://pkg.go.dev/github.com/contentful/allstar/pkg/policies/admin#OrgConfig).
 
 This policy checks that by default all repositories must have a user or group assigned as an Administrator. It allows you to optionally configure if users are allowed to be administrators (as opposed to teams).
 
@@ -374,8 +374,8 @@ organization.
 
 ### Configuration Definitions
 
-- [Organization level enable configuration](https://pkg.go.dev/github.com/ossf/allstar/pkg/config#OrgOptConfig)
-- [Repository Override enable configuration]( https://pkg.go.dev/github.com/ossf/allstar/pkg/config#RepoOptConfig)
+- [Organization level enable configuration](https://pkg.go.dev/github.com/contentful/allstar/pkg/config#OrgOptConfig)
+- [Repository Override enable configuration]( https://pkg.go.dev/github.com/contentful/allstar/pkg/config#RepoOptConfig)
 
 ### Secondary Org-Level configuration location
 

cmd/allstar/main.go

@@ -25,9 +25,9 @@ import (
 	"syscall"
 	"time"
 
-	"github.com/ossf/allstar/pkg/enforce"
-	"github.com/ossf/allstar/pkg/ghclients"
-	"github.com/ossf/allstar/pkg/policies"
+	"github.com/contentful/allstar/pkg/enforce"
+	"github.com/contentful/allstar/pkg/ghclients"
+	"github.com/contentful/allstar/pkg/policies"
 
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"