Improve Scorecard scores (Boeing#152)

* add openssf best practices badge * adding security * remove binary file * improving workflow security * addings SHAs to base containers * fixing workflows * fixing workflows * updating security text
shiina4119 · Aug 23, 2024 · cc6fea8 · cc6fea8
1 parent e2a70e3
commit cc6fea8
Show file tree

Hide file tree

Showing 10 changed files with 88 additions and 23 deletions.
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -11,14 +11,22 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: '1.22'
 
@@ -29,10 +37,15 @@ jobs:
     needs: download
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: '1.22'
 
@@ -46,10 +59,15 @@ jobs:
     needs: download
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: '1.22'
 
@@ -65,12 +83,17 @@ jobs:
     permissions:
       contents: write
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       with:
         fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository.
 
     - name: Set up Go
-      uses: actions/setup-go@v4
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: '1.22'
 

diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -10,25 +10,32 @@ permissions:
   contents: read
   # Optional: allow read access to pull request. Use with `only-new-issues` option.
   pull-requests: read
-  # Optional: Allow write access to checks to allow the action to annotate code in the PR.
-  checks: write
 
 jobs:
   golangci:
     strategy:
       matrix:
         go: ['1.21']
         os: [ubuntu-latest, macos-latest, windows-latest]
+    permissions:
+      # Optional: Allow write access to checks to allow the action to annotate code in the PR.
+      checks: write
+
     name: lint
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: ${{ matrix.go }}
           cache: false
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v4
+        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4.0.1
         with:
           # Require: The version of golangci-lint to use.
           # When `install-mode` is `binary` (default) the value can be v1.2 or v1.2.3 or `latest` to use the latest version.
@@ -48,4 +55,4 @@ jobs:
           # only-new-issues: true
 
           # Optional:The mode to install golangci-lint. It can be 'binary' or 'goinstall'.
-          # install-mode: "goinstall"
+          # install-mode: "goinstall"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,8 +9,7 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 permissions:
-  contents: write
-  packages: write
+  contents: read
 
 jobs:
   releases-matrix:
@@ -26,9 +25,17 @@ jobs:
           - goarch: arm64
             goos: windows
 
+    permissions:
+      packages: write
+
     steps:
-    - uses: actions/checkout@v3
-    - uses: wangyoucao577/go-release-action@v1
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+    - uses: wangyoucao577/go-release-action@8fa1e8368c8465264d64e0198208e10f71474c87 # v1.50
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         goos: ${{ matrix.goos }}
@@ -46,15 +53,20 @@ jobs:
     strategy:
       matrix:
         include:
-          - base: "alpine:3.19"
+          - base: "alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b"
             postfix: ""
           - base: "scratch"
             postfix: "-scratch"
-          - base: "ubuntu:20.04"
+          - base: "ubuntu:20.04@sha256:874aca52f79ae5f8258faff03e10ce99ae836f6e7d2df6ecd3da5c1cad3a912b"
             postfix: "-ubuntu"
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
     - name: Log in to the Container registry
       uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
       with:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -29,6 +29,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:

diff --git a/.gitignore b/.gitignore
@@ -5,6 +5,7 @@
 *.so
 *.dylib
 cmd/validator/validator
+bin/
 
 # Test binary, built with `go test -c`
 *.test

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-ARG BASE_IMAGE=alpine:3.19
+ARG BASE_IMAGE=alpine:3.19@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
 
-FROM golang:1.22 as go-builder
+FROM golang:1.22@sha256:f43c6f049f04cbbaeb28f0aad3eea15274a7d0a7899a617d0037aec48d7ab010 as go-builder
 ARG VALIDATOR_VERSION=unknown
 COPY . /build/
 WORKDIR /build

diff --git a/README.md b/README.md
@@ -11,6 +11,10 @@
     <img src="https://api.scorecard.dev/projects/github.com/Boeing/config-file-validator/badge" alt="OpenSSF Scorecard">
   </a>
 
+  <a href="https://www.bestpractices.dev/projects/9027">
+    <img src="https://www.bestpractices.dev/projects/9027/badge">
+  </a>
+
   <a href="https://opensource.org/licenses/Apache-2.0">
   <img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg" alt="Apache 2 License">
   </a>

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,9 @@
+# Reporting Security Issues
+
+The config-file-validator admins and community take security bugs in the config-file-validator project seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/boeing/config-file-validator/security/advisories/new) tab.
+
+The config-file-validator admins will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+Report security bugs in third-party modules to the person or team maintaining the module.
diff --git a/bin/validator b/bin/validator
diff --git a/index.md b/index.md
@@ -25,6 +25,10 @@
     <img src="https://api.scorecard.dev/projects/github.com/Boeing/config-file-validator/badge" alt="OpenSSF Scorecard">
   </a>
 
+  <a href="https://www.bestpractices.dev/projects/9027">
+    <img src="https://www.bestpractices.dev/projects/9027/badge">
+  </a>
+
   <a href="https://opensource.org/licenses/Apache-2.0">
   <img src="https://img.shields.io/badge/License-Apache_2.0-blue.svg" alt="Apache 2 License">
   </a>
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,6 +5,7 @@ @@
     *.so
     *.dylib
     cmd/validator/validator
+    bin/
     # Test binary, built with `go test -c`
     *.test
@@ Expand Down @@