Skip to content

Commit 471ba72

Browse files
snowdreamsnowdream
committed
ci: replace wildcards with explicit FQDNs across all workflows for maximum security
1 parent 0fdc5d3 commit 471ba72

14 files changed

Lines changed: 1157 additions & 851 deletions

.github/workflows/cache.yml

Lines changed: 68 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -46,63 +46,81 @@ jobs:
4646
disable-sudo: true
4747
egress-policy: block
4848
allowed-endpoints: >
49-
*.aquasecurity.github.io:443
50-
*.azurecr.io:443
51-
*.centos.org:443
52-
*.debian.org:443
53-
*.debian.org:80
54-
*.dkr.ecr.*.amazonaws.com:443
55-
*.gcr.io:443
56-
*.githubusercontent.com:443
57-
*.pkg.dev:443
58-
*.quay.io:443
59-
*.redhat.com:443
60-
*.rockylinux.org:443
61-
*.sigstore.dev:443
62-
*.ubuntu.com:443
63-
*.ubuntu.com:80
6449
api.github.com:443
65-
api.osv.dev:443
66-
api.securityscorecards.dev:443
67-
auth.docker.io:443
68-
cdn.deno.land:443
69-
deno.land:443
70-
dl-cdn.alpinelinux.org:443
71-
downloads.gradle-dn.com:443
72-
downloads.gradle.org:443
73-
files.pythonhosted.org:443
74-
formulae.brew.sh:443
75-
get.trivy.dev:443
76-
ghcr.io:443
50+
raw.githubusercontent.com:443
51+
objects.githubusercontent.com:443
52+
pkg-containers.githubusercontent.com:443
53+
avatars.githubusercontent.com:443
7754
github.com:443
78-
index.crates.io:443
79-
index.docker.io:443
80-
nodejs.org:443
81-
oss-fuzz-build-logs.storage.googleapis.com:443
82-
osv-vulnerabilities.storage.googleapis.com:443
8355
packages.microsoft.com:443
84-
packagist.org:443
85-
pkg-containers.githubusercontent.com:443
86-
production.cloudflare.docker.com:443
87-
proxy.golang.org:443
88-
public.ecr.aws:443
89-
pypi.org:443
90-
registry-1.docker.io:443
56+
archive.ubuntu.com:80
57+
archive.ubuntu.com:443
58+
security.ubuntu.com:80
59+
security.ubuntu.com:443
60+
ports.ubuntu.com:80
61+
ports.ubuntu.com:443
62+
keyserver.ubuntu.com:80
63+
keyserver.ubuntu.com:443
64+
changelogs.ubuntu.com:80
65+
changelogs.ubuntu.com:443
66+
deb.debian.org:80
67+
deb.debian.org:443
68+
security.debian.org:80
69+
security.debian.org:443
70+
snapshot.debian.org:80
71+
snapshot.debian.org:443
72+
dl.rockylinux.org:443
73+
mirrors.rockylinux.org:443
74+
mirror.centos.org:443
75+
vault.centos.org:443
76+
isv-data.centos.org:443
77+
mirrorlist.centos.org:80
78+
mirrorlist.centos.org:443
79+
cdn.redhat.com:443
80+
cdn-ubi.redhat.com:443
81+
access.redhat.com:443
82+
sso.redhat.com:443
83+
dl-cdn.alpinelinux.org:443
9184
registry.npmjs.org:443
92-
registry.terraform.io:443
9385
registry.yarnpkg.com:443
94-
repo.maven.apache.org:443
95-
repo.yarnpkg.com:443
96-
rubygems.org:443
97-
services.gradle.org:443
98-
static.rust-lang.org:443
86+
pypi.org:443
87+
files.pythonhosted.org:443
88+
proxy.golang.org:443
9989
sum.golang.org:443
100-
www.bestpractices.dev:443
101-
storage.googleapis.com:443
102-
go.dev:443
90+
index.crates.io:443
91+
static.rust-lang.org:443
92+
packagist.org:443
93+
repo.maven.apache.org:443
10394
golang.org:443
104-
*.actions.githubusercontent.com:443
105-
*.blob.core.windows.net:443
95+
pkg.go.dev:443
96+
dl.google.com:443
97+
rubygems.org:443
98+
registry.terraform.io:443
99+
formulae.brew.sh:443
100+
repo.yarnpkg.com:443
101+
ghcr.io:443
102+
production.cloudflare.docker.com:80
103+
production.cloudflare.docker.com:443
104+
registry-1.docker.io:443
105+
auth.docker.io:443
106+
docker.io:443
107+
quay.io:443
108+
cdn.quay.io:443
109+
docker-images-prod.s3.us-west-2.amazonaws.com:443
110+
docker-images-prod.s3.us-east-1.amazonaws.com:443
111+
docker-images-prod.s3.amazonaws.com:443
112+
s3.amazonaws.com:443
113+
s3.us-west-2.amazonaws.com:443
114+
s3.us-east-1.amazonaws.com:443
115+
osv-vulnerabilities.storage.googleapis.com:443
116+
api.osv.dev:443
117+
get.trivy.dev:443
118+
aquasecurity.github.io:443
119+
tuf-repo-cdn.sigstore.dev:443
120+
oauth2.sigstore.dev:443
121+
rekor.sigstore.dev:443
122+
fulcio.sigstore.dev:443
123+
api.sigstore.dev:443
106124
- name: "🧹 Prune Inactive GitHub Caches"
107125
shell: sh # POSIX compliant shell for better portability
108126
run: |

.github/workflows/cd.yml

Lines changed: 68 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -57,63 +57,81 @@ jobs:
5757
disable-sudo: true
5858
egress-policy: block
5959
allowed-endpoints: >
60-
*.aquasecurity.github.io:443
61-
*.azurecr.io:443
62-
*.centos.org:443
63-
*.debian.org:443
64-
*.debian.org:80
65-
*.dkr.ecr.*.amazonaws.com:443
66-
*.gcr.io:443
67-
*.githubusercontent.com:443
68-
*.pkg.dev:443
69-
*.quay.io:443
70-
*.redhat.com:443
71-
*.rockylinux.org:443
72-
*.sigstore.dev:443
73-
*.ubuntu.com:443
74-
*.ubuntu.com:80
7560
api.github.com:443
76-
api.osv.dev:443
77-
api.securityscorecards.dev:443
78-
auth.docker.io:443
79-
cdn.deno.land:443
80-
deno.land:443
81-
dl-cdn.alpinelinux.org:443
82-
downloads.gradle-dn.com:443
83-
downloads.gradle.org:443
84-
files.pythonhosted.org:443
85-
formulae.brew.sh:443
86-
get.trivy.dev:443
87-
ghcr.io:443
61+
raw.githubusercontent.com:443
62+
objects.githubusercontent.com:443
63+
pkg-containers.githubusercontent.com:443
64+
avatars.githubusercontent.com:443
8865
github.com:443
89-
index.crates.io:443
90-
index.docker.io:443
91-
nodejs.org:443
92-
oss-fuzz-build-logs.storage.googleapis.com:443
93-
osv-vulnerabilities.storage.googleapis.com:443
9466
packages.microsoft.com:443
95-
packagist.org:443
96-
pkg-containers.githubusercontent.com:443
97-
production.cloudflare.docker.com:443
98-
proxy.golang.org:443
99-
public.ecr.aws:443
100-
pypi.org:443
101-
registry-1.docker.io:443
67+
archive.ubuntu.com:80
68+
archive.ubuntu.com:443
69+
security.ubuntu.com:80
70+
security.ubuntu.com:443
71+
ports.ubuntu.com:80
72+
ports.ubuntu.com:443
73+
keyserver.ubuntu.com:80
74+
keyserver.ubuntu.com:443
75+
changelogs.ubuntu.com:80
76+
changelogs.ubuntu.com:443
77+
deb.debian.org:80
78+
deb.debian.org:443
79+
security.debian.org:80
80+
security.debian.org:443
81+
snapshot.debian.org:80
82+
snapshot.debian.org:443
83+
dl.rockylinux.org:443
84+
mirrors.rockylinux.org:443
85+
mirror.centos.org:443
86+
vault.centos.org:443
87+
isv-data.centos.org:443
88+
mirrorlist.centos.org:80
89+
mirrorlist.centos.org:443
90+
cdn.redhat.com:443
91+
cdn-ubi.redhat.com:443
92+
access.redhat.com:443
93+
sso.redhat.com:443
94+
dl-cdn.alpinelinux.org:443
10295
registry.npmjs.org:443
103-
registry.terraform.io:443
10496
registry.yarnpkg.com:443
105-
repo.maven.apache.org:443
106-
repo.yarnpkg.com:443
107-
rubygems.org:443
108-
services.gradle.org:443
109-
static.rust-lang.org:443
97+
pypi.org:443
98+
files.pythonhosted.org:443
99+
proxy.golang.org:443
110100
sum.golang.org:443
111-
www.bestpractices.dev:443
112-
storage.googleapis.com:443
113-
go.dev:443
101+
index.crates.io:443
102+
static.rust-lang.org:443
103+
packagist.org:443
104+
repo.maven.apache.org:443
114105
golang.org:443
115-
*.actions.githubusercontent.com:443
116-
*.blob.core.windows.net:443
106+
pkg.go.dev:443
107+
dl.google.com:443
108+
rubygems.org:443
109+
registry.terraform.io:443
110+
formulae.brew.sh:443
111+
repo.yarnpkg.com:443
112+
ghcr.io:443
113+
production.cloudflare.docker.com:80
114+
production.cloudflare.docker.com:443
115+
registry-1.docker.io:443
116+
auth.docker.io:443
117+
docker.io:443
118+
quay.io:443
119+
cdn.quay.io:443
120+
docker-images-prod.s3.us-west-2.amazonaws.com:443
121+
docker-images-prod.s3.us-east-1.amazonaws.com:443
122+
docker-images-prod.s3.amazonaws.com:443
123+
s3.amazonaws.com:443
124+
s3.us-west-2.amazonaws.com:443
125+
s3.us-east-1.amazonaws.com:443
126+
osv-vulnerabilities.storage.googleapis.com:443
127+
api.osv.dev:443
128+
get.trivy.dev:443
129+
aquasecurity.github.io:443
130+
tuf-repo-cdn.sigstore.dev:443
131+
oauth2.sigstore.dev:443
132+
rekor.sigstore.dev:443
133+
fulcio.sigstore.dev:443
134+
api.sigstore.dev:443
117135
- name: "📂 Checkout Repository Code"
118136
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
119137
with:

0 commit comments

Comments
 (0)