[StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <[email protected]>
seladb · Apr 16, 2024 · 3379534 · 3379534
1 parent e48be80
commit 3379534
Show file tree

Hide file tree

Showing 8 changed files with 230 additions and 0 deletions.
diff --git a/.github/workflows/auto_update.yml b/.github/workflows/auto_update.yml
@@ -4,11 +4,19 @@ on:
   schedule:
     - cron: '10 10 15 * *'
 
+permissions:
+  contents: read
+
 jobs:
   precommit-update:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
         with:
@@ -42,6 +50,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -9,11 +9,19 @@ env:
   BUILD_DIR: Dist
   GCOVR_FLAGS: --gcov-ignore-parse-errors --exclude-throw-branches --filter Common --filter Pcap --filter Packet --xml
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     container: seladb/alpine317
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -72,6 +80,11 @@ jobs:
             config-zstd: OFF
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -144,6 +157,11 @@ jobs:
             additional-flags: -DPCAPPP_USE_DPDK_KNI=ON
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -189,6 +207,11 @@ jobs:
           - configure: cmake -DPCAPPP_USE_PF_RING=ON -DPF_RING_ROOT="/PF_RING" -S . -B "$BUILD_DIR"
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -237,6 +260,11 @@ jobs:
             config-zstd: ON
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -312,6 +340,11 @@ jobs:
         os-version: [macos-14]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -389,6 +422,11 @@ jobs:
             sys: mingw64
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -481,6 +519,11 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -568,6 +611,11 @@ jobs:
     runs-on: ${{ matrix.run-on-os }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -616,6 +664,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -659,6 +712,11 @@ jobs:
     container:
       image: gcr.io/oss-fuzz-base/base-builder
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v4
       - name: Install prerequisites
         run: |

diff --git a/.github/workflows/check_dependabot.yml b/.github/workflows/check_dependabot.yml
@@ -10,6 +10,11 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/checkout@v3
       - uses: marocchino/validate-dependabot@v2
         id: validate
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -3,6 +3,9 @@ on:
   pull_request:
     branches: ["dev"]
 
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
@@ -11,6 +14,11 @@ jobs:
       matrix:
         sanitizer: [address, undefined, memory]
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Build Fuzzers
       id: build
       uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -7,6 +7,9 @@ on:
   schedule:
     - cron: '15 14 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -21,6 +24,11 @@ jobs:
         language: [ 'cpp' ]
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v3
 

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,27 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -36,6 +36,11 @@ jobs:
             config-zstd: OFF
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -78,6 +83,11 @@ jobs:
           - freebsd-version: "13.2"
           - freebsd-version: "14.0"
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -111,6 +121,11 @@ jobs:
         arch: [x86_64, arm64]
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: maxim-lobanov/setup-xcode@v1
         with:
           xcode-version: "${{ matrix.xcode-version }}"
@@ -148,6 +163,11 @@ jobs:
             sys: mingw64
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -207,6 +227,11 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -254,6 +279,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout code
         uses: actions/checkout@v3
 
@@ -299,6 +329,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - uses: actions/download-artifact@v4
         with:
           pattern: android-package-*