Commit 5d2e5c1
authored
![stepsecurity-app[bot]](https://avatars.githubusercontent.com/in/1053343?v=4&size=40){kind=avatar}
[StepSecurity] Apply security best practices (#21)
## Summary
This PR implements [go/ssdlc-2](https://go/ssdlc-2). Ref:
chainguard-dev/prodsec#138
This pull request has been generated by
[StepSecurity](https://app.stepsecurity.io/github/chainguard-dev/actions/dashboard)
as part of your enterprise subscription to ensure compliance with
recommended security best practices. Please review and merge the pull
request to apply these security enhancements.
At a high level, this PR:
- Adds the `harden-runner` Action if not already present
- Pins Actions to a digest rather than mutable tags
- Restricts GitHub token permissions to be as minimal as possible
## Security Fixes
### Harden Runner
Harden-Runner is an open-source security agent for the GitHub-hosted
runner to prevent software supply chain attacks. It prevents
exfiltration of credentials, detects tampering of source code during
build, and enables running jobs without sudo access.
- [GitHub Security
Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions)
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow)
## Feedback
For bug reports, feature requests, and general feedback; please create
an issue in
[step-security/secure-repo](https://github.com/step-security/secure-repo)
or contact us via [our website](https://www.stepsecurity.io/).
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com>1 parent 2726988 commit 5d2e5c1
1 file changed
Lines changed: 5 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
24 | 24 | | |
25 | 25 | | |
26 | 26 | | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
27 | 32 | | |
28 | 33 | | |
29 | 34 | | |
0 commit comments