Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[StepSecurity] Apply security best practices #65

Merged
merged 28 commits into from
May 30, 2024
Merged

[StepSecurity] Apply security best practices #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
d637614
[StepSecurity] Apply security best practices
step-security-bot May 30, 2024
f7b0d8b
Update dependabot.yml
tylertitsworth May 30, 2024
802a380
Update dependency-review.yaml
tylertitsworth May 30, 2024
3d75d2a
Update container-ci.yaml
tylertitsworth May 30, 2024
5a31429
Update integration-test.yaml
tylertitsworth May 30, 2024
92d30c2
Update container-ci.yaml
tylertitsworth May 30, 2024
e0f3e68
Update container-ci.yaml
tylertitsworth May 30, 2024
4faa73a
Update action.yml
tylertitsworth May 30, 2024
408264a
Update container-ci.yaml
tylertitsworth May 30, 2024
9939dd3
Update docs.yaml
tylertitsworth May 30, 2024
454c3e0
Update gitleaks.yaml
tylertitsworth May 30, 2024
946da4c
Update dependency-review.yaml
tylertitsworth May 30, 2024
94eccf7
Update lint.yaml
tylertitsworth May 30, 2024
1f4a75e
Update lint.yaml
tylertitsworth May 30, 2024
7888483
Update integration-test.yaml
tylertitsworth May 30, 2024
32bcb2c
Update container-ci.yaml
tylertitsworth May 30, 2024
716c196
Update action.yml
tylertitsworth May 30, 2024
d503c32
Update dependency-review.yaml
tylertitsworth May 30, 2024
b0a848e
Update integration-test.yaml
tylertitsworth May 30, 2024
5bb17ef
Update dependency-review.yaml
tylertitsworth May 30, 2024
70403bd
Update integration-test.yaml
tylertitsworth May 30, 2024
e941700
Update integration-test.yaml
tylertitsworth May 30, 2024
deeaf73
Merge branch 'main' into stepsecurity_remediation_1717106086
May 30, 2024
0b16de4
Update chart-ci.yaml
tylertitsworth May 30, 2024
5ac2508
Update chart-ci.yaml
tylertitsworth May 30, 2024
0a5ea42
Update gitleaks.yaml
tylertitsworth May 30, 2024
d5696ae
Update integration-test.yaml
tylertitsworth May 30, 2024
3aee007
Update integration-test.yaml
tylertitsworth May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,43 @@ updates:
package-ecosystem: pip
schedule:
interval: weekly

- package-ecosystem: docker
directory: /classical-ml
schedule:
interval: weekly

- package-ecosystem: docker
directory: /preset/classical-ml
schedule:
interval: weekly

- package-ecosystem: docker
directory: /preset/data-analytics
schedule:
interval: weekly

- package-ecosystem: docker
directory: /preset/deep-learning
schedule:
interval: weekly

- package-ecosystem: docker
directory: /preset/inference-optimization
schedule:
interval: weekly

- package-ecosystem: docker
directory: /python
schedule:
interval: weekly

- package-ecosystem: docker
directory: /pytorch
schedule:
interval: weekly

- package-ecosystem: docker
directory: /tensorflow
schedule:
interval: weekly
15 changes: 10 additions & 5 deletions .github/workflows/chart-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,22 @@ jobs:
helm-ci:
runs-on: kubectl
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
# ref: "refs/pull/${{ github.event.number }}/merge"
- uses: azure/setup-kubectl@v4
- uses: azure/[email protected]
- uses: actions/setup-python@v5
- uses: azure/setup-kubectl@3e0aec4d80787158d308d7b364cb1b702e7feb7f # v4.0.0
- uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.x
- name: Setup chart-testing
uses: helm/[email protected]
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
- name: Get chart diff
id: changed
run: |
Expand Down
41 changes: 27 additions & 14 deletions .github/workflows/container-ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ on:
ref:
description: 'Enter Git Ref:'
required: true
default: 'main'
type: string
runner_label:
description: 'Enter Validation Runner Label:'
Expand Down Expand Up @@ -82,7 +83,11 @@ jobs:
matrix: ${{ steps.build-matrix.outputs.matrix }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
- name: Set Matrix
Expand All @@ -101,11 +106,11 @@ jobs:
outputs:
group: ${{ steps.build-group.outputs.container-group }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
if: ${{ !inputs.no_build }}
- uses: docker/login-action@v3
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
Expand All @@ -114,7 +119,7 @@ jobs:
- name: Build Container Group
if: ${{ !inputs.no_build }}
id: build-group
uses: intel/ai-containers/.github@main
uses: intel/ai-containers/.github@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
group_dir: ${{ inputs.group_dir }}
env_overrides: ${{ inputs.env_overrides || env.env_overrides || '' }}
Expand All @@ -131,7 +136,11 @@ jobs:
outputs:
matrix: ${{ steps.scan-matrix.outputs.matrix }}
steps:
- uses: actions/download-artifact@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
path: matrix
- name: Set Matrix
Expand All @@ -146,25 +155,25 @@ jobs:
container: ${{ fromJSON(needs.setup-scan.outputs.matrix) }}
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
- uses: docker/login-action@v3
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Pull Image
run: docker pull ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
- name: Scan Container
uses: intel/ai-containers/.github/scan@main
uses: intel/ai-containers/.github/scan@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
image-ref: ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
output: ${{ matrix.container }}-scan.sarif
- name: Cleanup
if: always()
run: docker rmi -f ${{ secrets.REGISTRY }}/${{ secrets.REPO }}:${{ matrix.container }}
- uses: github/codeql-action/upload-sarif@v3
- uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
sarif_file: '${{ matrix.container }}-scan.sarif'
####################################################################################################
Expand All @@ -176,7 +185,11 @@ jobs:
outputs:
matrix: ${{ steps.test-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
- name: Get Recipes
Expand All @@ -192,19 +205,19 @@ jobs:
experimental: [true]
fail-fast: false
steps:
- uses: step-security/harden-runner@v2
- uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@v4
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
ref: ${{ inputs.ref }}
- uses: docker/login-action@v3
- uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ secrets.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Test Container Group
uses: intel/ai-containers/test-runner@main
uses: intel/ai-containers/test-runner@5d9f53d02bdf065086dffa4ae6d99a412184710c # main
with:
cache_registry: ${{ secrets.CACHE_REGISTRY }}
recipe_dir: ${{ inputs.group_dir }}
Expand Down
13 changes: 10 additions & 3 deletions .github/workflows/dependency-review.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,10 @@
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
on:
pull_request_target:
types: [opened, edited, reopened, synchronize]
branches: [main]
permissions:
contents: read
concurrency:
Expand All @@ -32,7 +35,11 @@ jobs:
permissions:
pull-requests: write
steps:
- uses: actions/checkout@v4
- uses: actions/dependency-review-action@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 # v4.3.2
with:
comment-summary-in-pr: true
16 changes: 13 additions & 3 deletions .github/workflows/dockerhub-description.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,12 @@ jobs:
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Set matrix data
id: set-matrix
run: echo "matrix=$(jq -c . < .github/dockerhub-readmes.json)" >> $GITHUB_OUTPUT
Expand All @@ -34,8 +39,13 @@ jobs:
matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: peter-evans/dockerhub-description@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
Expand Down
12 changes: 8 additions & 4 deletions .github/workflows/docs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,17 +30,21 @@ jobs:
id-token: write
pages: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
with:
python-version: 3.8
cache: pip
- name: Install python requirements
run: python -m pip install -r docs/requirements.txt
- name: Build
run: mkdocs build --clean
- uses: actions/upload-pages-artifact@v3
- uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: site
- if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
uses: actions/deploy-pages@v4
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
8 changes: 6 additions & 2 deletions .github/workflows/gitleaks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,15 @@ jobs:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
ref: "refs/pull/${{ github.event.number }}/merge"
- uses: gitleaks/gitleaks-action@v2
- uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 # v2.3.6
env:
GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
10 changes: 9 additions & 1 deletion .github/workflows/integration-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@ jobs:
outputs:
groups: ${{ steps.group-list.outputs.FOLDERS }}
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
ref: "refs/pull/${{ github.event.number }}/merge"
Expand Down Expand Up @@ -75,6 +79,10 @@ jobs:
runs-on: ubuntu-latest
if: always()
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- run: exit 1
if: >-
${{
Expand Down
8 changes: 6 additions & 2 deletions .github/workflows/lint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,15 @@ jobs:
name: Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
ref: "refs/pull/${{ github.event.number }}/merge"
- uses: super-linter/super-linter/[email protected]
- uses: super-linter/super-linter/slim@5b638caee6ba65e25e07143887b669a1233847a0 # v6.5.1
env:
# To report GitHub Actions status checks
GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }}
Expand Down
13 changes: 9 additions & 4 deletions .github/workflows/scorecard.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,20 +35,25 @@ jobs:
contents: read
actions: read
steps:
- uses: actions/checkout@v4
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
egress-policy: audit

- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
persist-credentials: false
- uses: ossf/[email protected]
- uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
repo_token: ${{ secrets.ACTION_TOKEN }}
publish_results: true
- uses: actions/upload-artifact@v4
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- uses: github/codeql-action/[email protected]
- uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
with:
sarif_file: results.sarif
Loading
Loading