ci: [StepSecurity] Apply security best practices (project-copacetic#1156)

step-security-bot · sozercan · web-flow · commit 26faaa5b4c45 · 2025-07-01T18:02:19.000-07:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Signed-off-by: Sertaç Özercan &lt;852750+sozercan@users.noreply.github.com&gt;
Co-authored-by: Sertaç Özercan &lt;852750+sozercan@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -32,3 +32,18 @@ updates:
       all:
         patterns:
         - "*"
+
+  - package-ecosystem: docker
+    directory: /integration/singlearch/fixtures/openssl-test-img-debian
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /integration/singlearch/fixtures/openssl-test-img-rpm
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /integration/singlearch/fixtures/tdnf-test-img
+    schedule:
+      interval: daily
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -328,7 +328,7 @@ jobs:
           echo '{"features": { "containerd-snapshotter": true }}' | sudo tee /etc/docker/daemon.json
           sudo systemctl restart docker
       - name: Set up buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
         with:
           install: true
       - name: Install oras CLI
diff --git a/.github/workflows/mirror-tooling-images.yml b/.github/workflows/mirror-tooling-images.yml
@@ -13,6 +13,9 @@ on:
 env:
   GHCR_NAMESPACE: ${{ github.event.inputs.ghcr_namespace || 'ghcr.io/project-copacetic/copacetic' }}
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
@@ -34,6 +37,11 @@ jobs:
           - "mcr.microsoft.com/cbl-mariner/base/core:1.0"
 
     steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@e3d2460bbb42d7710191569f88069044cfb9d8cf # v4.2.2
 
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,3 +16,7 @@ repos:
   hooks:
   - id: end-of-file-fixer
   - id: trailing-whitespace
+- repo: https://github.com/jumanjihouse/pre-commit-hooks
+  rev: 3.0.0
+  hooks:
+  - id: shellcheck
diff --git a/integration/singlearch/fixtures/openssl-test-img-debian/Dockerfile b/integration/singlearch/fixtures/openssl-test-img-debian/Dockerfile
@@ -1,2 +1,2 @@
-FROM docker.io/openpolicyagent/opa:0.46.0
+FROM docker.io/openpolicyagent/opa:0.46.0@sha256:c4b11c9b86eaba41276ae682bb6875332316242010b7523efe30f365ad0c3cb8
 COPY openssl.cnf /etc/ssl/openssl.cnf
diff --git a/integration/singlearch/fixtures/openssl-test-img-rpm/Dockerfile b/integration/singlearch/fixtures/openssl-test-img-rpm/Dockerfile
@@ -1,2 +1,2 @@
-FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20240112
+FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20240112@sha256:42018e00ee5b4ae32a8d512ca0bbf64edd6ca67d2a8ab4e83358394a94181f6e
 COPY openssl.cnf /etc/pki/tls/

Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-FROM docker.io/openpolicyagent/opa:0.46.0`
	`1`	`+FROM docker.io/openpolicyagent/opa:0.46.0@sha256:c4b11c9b86eaba41276ae682bb6875332316242010b7523efe30f365ad0c3cb8`
`2`	`2`	`COPY openssl.cnf /etc/ssl/openssl.cnf`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20240112`
	`1`	`+FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20240112@sha256:42018e00ee5b4ae32a8d512ca0bbf64edd6ca67d2a8ab4e83358394a94181f6e`
`2`	`2`	`COPY openssl.cnf /etc/pki/tls/`