From 6db581d53a28159a6837040613610a5f9a4af72d Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 15:19:31 +0000 Subject: [PATCH] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 48 +++++++++++++++++++++++ .github/workflows/docker-images.yml | 60 +++++++++++++++++++++-------- .pre-commit-config.yaml | 17 ++++++++ Dockerfile | 4 +- tests/Dockerfile | 2 +- 5 files changed, 112 insertions(+), 19 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..17c82c2c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,48 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /tests + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react diff --git a/.github/workflows/docker-images.yml b/.github/workflows/docker-images.yml index 55976d2d..58eaf59b 100644 --- a/.github/workflows/docker-images.yml +++ b/.github/workflows/docker-images.yml @@ -11,34 +11,42 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: build-base: name: Docker Build Base (no-agent) runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: step-security/setup-qemu-action@109c6ed9f089be1a250c75fd6a534e30df44e030 # v4.0.0 with: platforms: all - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 with: platforms: linux/amd64,linux/arm64 - name: Create cache for docker images for use in the next job - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: latest-no-agent path: ${{ runner.temp }} - name: Build and push Docker images - uses: docker/build-push-action@v5 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: push: false load: true @@ -55,28 +63,33 @@ jobs: needs: - build-base steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Docker Setup QEMU - uses: docker/setup-qemu-action@v3 + uses: step-security/setup-qemu-action@109c6ed9f089be1a250c75fd6a534e30df44e030 # v4.0.0 with: platforms: all - name: Docker Setup Buildx - uses: docker/setup-buildx-action@v3 + uses: step-security/setup-buildx-action@f931205d68723ad9589fd2a7e2ece238bf9de341 # v4.0.0 with: platforms: linux/amd64,linux/arm64 - name: Create cache for docker images for use in the next job - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: key: latest path: ${{ runner.temp }} - name: Build and push Docker images - uses: docker/build-push-action@v5 + uses: step-security/docker-build-push-action@846549baaf047e867d038826129a64d81df0f704 # v7.1.0 with: push: false load: true @@ -91,15 +104,20 @@ jobs: - build-base - build-contrast steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Restore cached docker images - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ runner.temp }} key: latest-no-agent - name: Restore cached docker images - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: ${{ runner.temp }} key: latest @@ -110,14 +128,14 @@ jobs: docker load --input ${{ runner.temp }}/latest.tar - name: Checkout branch - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Run docker-compose tests run: | docker compose up -d - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: lts/* - @@ -137,7 +155,7 @@ jobs: cd tests npx playwright test assess/*.spec.ts - - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 if: ${{ !cancelled() }} with: name: playwright-report @@ -151,9 +169,14 @@ jobs: - test steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Docker Metadata action id: metadata - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 with: images: contrastsecuritydemo/netflicks flavor: | @@ -179,5 +202,10 @@ jobs: - test steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - run: | echo The PR was merged diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..a462c222 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,17 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer diff --git a/Dockerfile b/Dockerfile index 7372c927..5f1a3472 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/dotnet/sdk:6.0 AS publish +FROM mcr.microsoft.com/dotnet/sdk:6.0@sha256:c8fdd06e430de9f4ddd066b475ea350d771f341b77dd5ff4c2fafa748e3f2ef2 AS publish ARG TARGETARCH WORKDIR /src COPY ./DotNetFlicks.Accessors ./DotNetFlicks.Accessors @@ -10,7 +10,7 @@ COPY ./DotNetFlicks.Web ./DotNetFlicks.Web COPY ./DotNetFlicks.sln ./DotNetFlicks.sln RUN dotnet publish "DotNetFlicks.Web/Web.csproj" /p:Platform=$TARGETARCH -c Release -o /app -FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS final +FROM mcr.microsoft.com/dotnet/aspnet:6.0@sha256:e70c493f8af7f95bf459cb2b15c7e7a6173228929c2b7a9a6836b19377890e78 AS final RUN uname -a RUN apt-get update && apt-get --assume-yes install libnss3-tools WORKDIR /app diff --git a/tests/Dockerfile b/tests/Dockerfile index efcd0894..f76f36fb 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -FROM mcr.microsoft.com/playwright:v1.32.1-jammy +FROM mcr.microsoft.com/playwright:v1.32.1-jammy@sha256:d5f1c6efb7c440aad9d6e751ebb9251df4ecd464bf33c64fd71a2c6b7accbda8 # copy project (including tests) # COPY . /tests