Skip to content

Commit 64da339

Browse files
[StepSecurity] Apply security best practices
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
1 parent 1956fa1 commit 64da339

4 files changed

Lines changed: 55 additions & 7 deletions

File tree

.github/dependabot.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: github-actions
4+
directory: /
5+
schedule:
6+
interval: weekly
7+
groups:
8+
dev-dependencies:
9+
applies-to: version-updates
10+
patterns:
11+
- '*'
12+
dependency-type: development
13+
production-dependencies:
14+
applies-to: version-updates
15+
patterns:
16+
- '*'
17+
dependency-type: production
18+
cooldown:
19+
default-days: 7
20+
include:
21+
- '*'
22+
exclude:
23+
- react

.github/workflows/dotnet.yml

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ on:
77
branches: [ master ]
88
workflow_dispatch: {}
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
build:
1215
runs-on: ubuntu-latest
@@ -17,27 +20,32 @@ jobs:
1720
IMAGE_NAME: ghcr.io/${{ github.repository }}
1821
PUBLISH: ${{ github.ref == 'refs/heads/master' }}
1922
steps:
20-
- uses: actions/checkout@v2
21-
- uses: docker/setup-buildx-action@v2
23+
- name: Harden the runner (Audit all outbound calls)
24+
uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
25+
with:
26+
egress-policy: audit
27+
28+
- uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
29+
- uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
2230
id: buildx
2331
with:
2432
install: true
2533
version: latest
26-
- uses: docker/login-action@v2
34+
- uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
2735
if: ${{ env.PUBLISH }}
2836
with:
2937
registry: ghcr.io
3038
username: ${{ github.actor }}
3139
password: ${{ secrets.GITHUB_TOKEN }}
3240
- id: meta
33-
uses: docker/metadata-action@v4
41+
uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
3442
with:
3543
images: ${{ env.IMAGE_NAME }}
3644
tags: |
3745
type=sha
3846
type=edge
3947
type=raw,value=latest,enable={{is_default_branch}}
40-
- uses: docker/build-push-action@v3
48+
- uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1
4149
id: build
4250
with:
4351
file: Dockerfile

.pre-commit-config.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
repos:
2+
- repo: https://github.com/gitleaks/gitleaks
3+
rev: v8.16.3
4+
hooks:
5+
- id: gitleaks
6+
- repo: https://github.com/jumanjihouse/pre-commit-hooks
7+
rev: 3.0.0
8+
hooks:
9+
- id: shellcheck
10+
- repo: https://github.com/pre-commit/mirrors-eslint
11+
rev: v8.38.0
12+
hooks:
13+
- id: eslint
14+
- repo: https://github.com/pre-commit/pre-commit-hooks
15+
rev: v4.4.0
16+
hooks:
17+
- id: end-of-file-fixer

Dockerfile

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
# https://hub.docker.com/_/microsoft-dotnet
2-
FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build
2+
FROM mcr.microsoft.com/dotnet/sdk:7.0@sha256:d32bd65cf5843f413e81f5d917057c82da99737cb1637e905a1a4bc2e7ec6c8d AS build
33
WORKDIR ./sources
44

55
# copy everything else and build app
@@ -8,7 +8,7 @@ WORKDIR ./sources/WebGoat.NET
88
RUN dotnet publish -c release -o /app
99

1010
# final stage/image
11-
FROM mcr.microsoft.com/dotnet/aspnet:7.0
11+
FROM mcr.microsoft.com/dotnet/aspnet:7.0@sha256:c7d9ee6cd01afe9aa80642e577c7cec9f5d87f88e5d70bd36fd61072079bc55b
1212
WORKDIR /app
1313
COPY --from=build /app ./
1414

0 commit comments

Comments
 (0)