From c1f1c4523dc02de1d0d3eb795cf3fe7f90b05bd5 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Fri, 5 Apr 2024 04:00:43 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/codeql_c.yml | 18 +++++--- .github/workflows/codeql_cpp.yml | 18 +++++--- .github/workflows/codeql_python.yml | 16 +++++-- .github/workflows/dependabot_reviewer.yml | 7 ++- .github/workflows/dependency-review.yml | 27 ++++++++++++ .github/workflows/rust-audit.yml | 52 ++++++++++++++++------- .github/workflows/scorecard.yml | 5 +++ .github/workflows/test_suite_c.yml | 17 +++++--- .github/workflows/test_suite_cpp.yml | 13 ++++-- .github/workflows/test_suite_python.yml | 19 ++++++--- .github/workflows/test_suite_rust.yml | 17 +++++--- .pre-commit-config.yaml | 18 ++++++++ 12 files changed, 173 insertions(+), 54 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/codeql_c.yml b/.github/workflows/codeql_c.yml index 3436c22..44a37f2 100644 --- a/.github/workflows/codeql_c.yml +++ b/.github/workflows/codeql_c.yml @@ -36,6 +36,9 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: analyze_c: name: Analyze C @@ -49,20 +52,25 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: languages: cpp # Build C Project - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Make Build Directory run: mkdir -p build - name: CMake Configure @@ -77,6 +85,6 @@ jobs: # Run the analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: category: "/language:cpp" diff --git a/.github/workflows/codeql_cpp.yml b/.github/workflows/codeql_cpp.yml index b646fd5..166df44 100644 --- a/.github/workflows/codeql_cpp.yml +++ b/.github/workflows/codeql_cpp.yml @@ -36,6 +36,9 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: analyze_cpp: name: Analyze C++ @@ -49,20 +52,25 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: languages: cpp # Build C++ Project - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Make Build Directory run: mkdir -p build - name: CMake Configure @@ -77,6 +85,6 @@ jobs: # Run the analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: category: "/language:cpp" diff --git a/.github/workflows/codeql_python.yml b/.github/workflows/codeql_python.yml index bd51b2e..9566434 100644 --- a/.github/workflows/codeql_python.yml +++ b/.github/workflows/codeql_python.yml @@ -36,6 +36,9 @@ on: schedule: - cron: "0 0 * * 1" +permissions: + contents: read + jobs: analyze: name: Analyze Python @@ -59,21 +62,26 @@ jobs: security-events: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: languages: python # Build Python Project - name: Setup Python ${{matrix.python-version}} id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{matrix.python-version}} cache: 'pip' @@ -86,6 +94,6 @@ jobs: # Run the analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 with: category: "/language:python" diff --git a/.github/workflows/dependabot_reviewer.yml b/.github/workflows/dependabot_reviewer.yml index cf9e314..97d43ad 100644 --- a/.github/workflows/dependabot_reviewer.yml +++ b/.github/workflows/dependabot_reviewer.yml @@ -11,9 +11,14 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Dependabot metadata id: dependabot-metadata - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@0fb21704c18a42ce5aa8d720ea4b912f5e6babef # v2.0.0 - name: Enable auto-merge for Dependabot PRs run: gh pr merge --auto --merge "$PR_URL" env: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..3f34562 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/rust-audit.yml b/.github/workflows/rust-audit.yml index 59d1709..78466aa 100644 --- a/.github/workflows/rust-audit.yml +++ b/.github/workflows/rust-audit.yml @@ -9,10 +9,15 @@ jobs: name: Audit Rust runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 - - uses: EmbarkStudios/cargo-deny-action@v1 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 + - uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 audit_c: name: Audit C runs-on: ubuntu-latest @@ -20,12 +25,17 @@ jobs: run: working-directory: bindings/c steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 + - uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 audit_cpp: name: Audit C++ runs-on: ubuntu-latest @@ -33,12 +43,17 @@ jobs: run: working-directory: bindings/cpp steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 + - uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 audit_python: name: Audit Python runs-on: ubuntu-latest @@ -46,9 +61,14 @@ jobs: run: working-directory: bindings/python steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 - - uses: EmbarkStudios/cargo-deny-action@v1 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 + - uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7732bf7..6c62f56 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -31,6 +31,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/test_suite_c.yml b/.github/workflows/test_suite_c.yml index 473c6eb..6a85981 100644 --- a/.github/workflows/test_suite_c.yml +++ b/.github/workflows/test_suite_c.yml @@ -38,19 +38,24 @@ jobs: cmake_flags: -DBUILD_WITH_CHECK_COVERAGE=ON runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + uses: taiki-e/install-action@6ec01d6033d5f6e87d04fc92d55eaa5b132b1ad4 # cargo-llvm-cov - name: Run Cargo Clippy run: cargo clippy - name: Run Cargo Fmt run: cargo fmt --check - name: Run Cargo Deny - uses: EmbarkStudios/cargo-deny-action@v1 + uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 if: ${{ matrix.os == 'ubuntu-latest' }} - name: Generate coverage report from Rust tests run: cargo llvm-cov --all-features --lcov --output-path lcov.info @@ -86,7 +91,7 @@ jobs: sudo apt update sudo apt install -y lcov lcov -c -d . -o coverage.info - - uses: codecov/codecov-action@v4 + - uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 with: flags: lang-c files: build/coverage.info diff --git a/.github/workflows/test_suite_cpp.yml b/.github/workflows/test_suite_cpp.yml index 7f9b398..ed7773d 100644 --- a/.github/workflows/test_suite_cpp.yml +++ b/.github/workflows/test_suite_cpp.yml @@ -38,11 +38,16 @@ jobs: cmake_flags: -DBUILD_WITH_CHECK_COVERAGE=ON runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Make Build Directory run: mkdir -p build - name: CMake Configure @@ -75,7 +80,7 @@ jobs: sudo apt update sudo apt install -y lcov lcov -c -d . -o coverage.info - - uses: codecov/codecov-action@v4 + - uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 with: flags: lang-cpp files: build/coverage.info diff --git a/.github/workflows/test_suite_python.yml b/.github/workflows/test_suite_python.yml index 4388266..cee51a5 100644 --- a/.github/workflows/test_suite_python.yml +++ b/.github/workflows/test_suite_python.yml @@ -44,26 +44,31 @@ jobs: - "3" # Latest version runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: recursive - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Run Cargo Clippy run: cargo clippy - name: Run Cargo Fmt run: cargo fmt --check - name: Run Cargo Deny - uses: EmbarkStudios/cargo-deny-action@v1 + uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 if: ${{ matrix.os == 'ubuntu-latest' }} - name: Setup Python ${{matrix.python-version}} id: setup-python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: ${{matrix.python-version}} cache: 'pip' - name: Cache virtualenv - uses: actions/cache@v4 + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 with: key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version}}-${{ hashFiles('pyproject.toml') }} path: .venv @@ -85,7 +90,7 @@ jobs: run: | python -m ruff format --check . - name: Build Rust - uses: PyO3/maturin-action@v1 + uses: PyO3/maturin-action@6c040287d49afcbdb94da54484e3e17051e60e53 # v1.42.0 with: command: develop sccache: 'true' diff --git a/.github/workflows/test_suite_rust.yml b/.github/workflows/test_suite_rust.yml index 7bf212a..7133db5 100644 --- a/.github/workflows/test_suite_rust.yml +++ b/.github/workflows/test_suite_rust.yml @@ -30,21 +30,26 @@ jobs: - macos-latest runs-on: ${{matrix.os}} steps: - - uses: actions/checkout@v4 - - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: dtolnay/rust-toolchain@d0592fe69e35bc8f12e3dbaf9ad2694d976cb8e3 # stable + - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 - name: Install cargo-llvm-cov - uses: taiki-e/install-action@cargo-llvm-cov + uses: taiki-e/install-action@6ec01d6033d5f6e87d04fc92d55eaa5b132b1ad4 # cargo-llvm-cov - name: Run Cargo Clippy run: cargo clippy - name: Run Cargo Fmt run: cargo fmt --check - name: Run Cargo Deny - uses: EmbarkStudios/cargo-deny-action@v1 + uses: EmbarkStudios/cargo-deny-action@b01e7a8cfb1f496c52d77361e84c1840d8246393 # v1.6.2 if: ${{ matrix.os == 'ubuntu-latest' }} - name: Generate coverage report from Rust tests run: cargo llvm-cov --all-features --lcov --output-path lcov.info - - uses: codecov/codecov-action@v4 + - uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0 with: files: lcov.info flags: lang-rust diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..f517e8a --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/pocc/pre-commit-hooks + rev: v1.3.5 + hooks: + - id: cpplint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace +- repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint