Skip to content

[StepSecurity] Apply security best practices #232

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DefinetlyNotAI merged 1 commit into from
Jul 26, 2025
Merged

[StepSecurity] Apply security best practices #232

DefinetlyNotAI merged 1 commit into from
Jul 26, 2025

Conversation

@step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Jul 26, 2025
edited by coderabbitai bot
Loading

Summary

This pull request is created by StepSecurity at the request of @DefinetlyNotAI. Please merge the Pull Request to incorporate the requested changes. Please tag @DefinetlyNotAI on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Harden Runner

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. See how popular open-source projects use Harden-Runner here.

Harden runner usage

You can find link to view insights and policy recommendation in the build log

Please refer to documentation to find more details.

Add Dependency Review Workflow

The Dependency Review Workflow enforces dependency reviews on your pull requests. The action scans for vulnerable versions of dependencies introduced by package version changes in pull requests, and warns you about the associated security vulnerabilities. This gives you better visibility of what's changing in a pull request, and helps prevent vulnerabilities being added to your repository.

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

Summary by CodeRabbit

  • Chores
    • Enhanced security of existing GitHub Actions workflows by auditing outbound network calls and pinning action versions to specific commits.
    • Introduced a new workflow to automatically review dependencies for known vulnerabilities on pull requests, helping prevent vulnerable packages from being merged.

@pull-request-size pull-request-size bot added the size/M Medium size pr label Jul 26, 2025
@DefinetlyNotAI DefinetlyNotAI self-assigned this Jul 26, 2025
@github-project-automation github-project-automation bot moved this from Todo to In Progress in Issue Board Jul 26, 2025
@DefinetlyNotAI DefinetlyNotAI added request/Important New feature or request, top priority, for next update type/Github Actions Pull requests that update GitHub Actions code labels Jul 26, 2025
@DefinetlyNotAI DefinetlyNotAI merged commit e75a710 into DefinetlyNotAI:main Jul 26, 2025
8 of 9 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Issue Board Jul 26, 2025
Repository owner deleted a comment from coderabbitai bot Jul 26, 2025
DefinetlyNotAI added a commit that referenced this pull request Sep 18, 2025
@DefinetlyNotAI
[StepSecurity] Apply security best practices (#232)
06c57bf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DefinetlyNotAI DefinetlyNotAI DefinetlyNotAI approved these changes

Assignees

@DefinetlyNotAI DefinetlyNotAI

Labels

request/Important New feature or request, top priority, for next update size/M Medium size pr type/Github Actions Pull requests that update GitHub Actions code

Projects

Issue Board
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@step-security-bot @DefinetlyNotAI