From 587e36cdf82cd7ec53c8a4a3a32b30b32c42ce1a Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 3 Jul 2025 21:20:22 +0000 Subject: [PATCH 1/4] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 45 +++++++++++++++++++++++++ .github/workflows/codeql.yml | 8 +++++ .github/workflows/dependency-review.yml | 27 +++++++++++++++ .github/workflows/lambda.yml | 5 +++ .github/workflows/ossf-scorecard.yml | 5 +++ .github/workflows/packer-build.yml | 5 +++ .github/workflows/release.yml | 8 +++++ .github/workflows/semantic-check.yml | 5 +++ .github/workflows/stale.yml | 5 +++ .github/workflows/terraform.yml | 15 +++++++++ .github/workflows/update-docs.yml | 13 +++++++ 11 files changed, 141 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index face548144..e65908ff33 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -71,3 +71,48 @@ updates: - "docker" commit-message: prefix: "chore(devcontainer)" + + - package-ecosystem: docker + directory: /.ci + schedule: + interval: daily + + - package-ecosystem: docker + directory: /.devcontainer + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/functions/ami-housekeeper + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/functions/control-plane + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/functions/gh-agent-syncer + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/functions/termination-watcher + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/functions/webhook + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/libs/aws-powertools-util + schedule: + interval: daily + + - package-ecosystem: npm + directory: /lambdas/libs/aws-ssm-util + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3a039347c6..20ad2880d8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '25 19 * * 2' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) @@ -24,6 +27,11 @@ jobs: language: ['javascript-typescript', 'actions'] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..4b492f2a15 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: 'Dependency Review' + uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1 diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml index 01432342a6..a08447c58f 100644 --- a/.github/workflows/lambda.yml +++ b/.github/workflows/lambda.yml @@ -24,6 +24,11 @@ jobs: working-directory: ./lambdas steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 41afac676d..5280e55bdf 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -19,6 +19,11 @@ jobs: id-token: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml index a818ef1dc4..5f155ca917 100644 --- a/.github/workflows/packer-build.yml +++ b/.github/workflows/packer-build.yml @@ -28,6 +28,11 @@ jobs: run: working-directory: images/${{ matrix.image }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d70f0a60a7..1dd0e3f9d6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: - v1 workflow_dispatch: +permissions: + contents: read + jobs: release: name: Release @@ -16,6 +19,11 @@ jobs: id-token: write attestations: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 22 diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml index db6c9f88e2..28fcb7b4fe 100644 --- a/.github/workflows/semantic-check.yml +++ b/.github/workflows/semantic-check.yml @@ -13,6 +13,11 @@ jobs: name: Semantic Commit Message Check runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 1d79d7dba0..26a3ec96ca 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -10,6 +10,11 @@ jobs: stale: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: stale-issue-message: > diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 9d4330e9c0..e5c41dd408 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -21,6 +21,11 @@ jobs: container: image: hashicorp/terraform:${{ matrix.terraform }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - name: "Checkout" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -90,6 +95,11 @@ jobs: container: image: hashicorp/terraform:${{ matrix.terraform }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -148,6 +158,11 @@ jobs: container: image: hashicorp/terraform:${{ matrix.terraform }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml index b67b898e5e..f5fa315d5d 100644 --- a/.github/workflows/update-docs.yml +++ b/.github/workflows/update-docs.yml @@ -6,6 +6,9 @@ on: - "**/*.md" - ".github/workflows/update-docs.yml" +permissions: + contents: read + jobs: docs: name: Auto update terraform docs @@ -14,6 +17,11 @@ jobs: contents: write pull-requests: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - name: Checkout with GITHUB Action token uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -58,6 +66,11 @@ jobs: permissions: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Configure Git Credentials run: | From 1284b5eea3c4b0f7e150cf69dd84d2fd214cc166 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 3 Jul 2025 23:27:19 +0200 Subject: [PATCH 2/4] Update dependabot.yml --- .github/dependabot.yml | 43 ------------------------------------------ 1 file changed, 43 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e65908ff33..e00551363b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -72,47 +72,4 @@ updates: commit-message: prefix: "chore(devcontainer)" - - package-ecosystem: docker - directory: /.ci - schedule: - interval: daily - - - package-ecosystem: docker - directory: /.devcontainer - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/functions/ami-housekeeper - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/functions/control-plane - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/functions/gh-agent-syncer - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/functions/termination-watcher - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/functions/webhook - schedule: - interval: daily - - - package-ecosystem: npm - directory: /lambdas/libs/aws-powertools-util - schedule: - interval: daily - - package-ecosystem: npm - directory: /lambdas/libs/aws-ssm-util - schedule: - interval: daily From 822260addc992abac4e8f8bedb6a18b48b4d4830 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 3 Jul 2025 23:27:54 +0200 Subject: [PATCH 3/4] Update dependabot.yml --- .github/dependabot.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e00551363b..face548144 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -71,5 +71,3 @@ updates: - "docker" commit-message: prefix: "chore(devcontainer)" - - From 3abbe2484a2504cf47f7621685e48d5aa2b9a531 Mon Sep 17 00:00:00 2001 From: Niek Palm Date: Thu, 3 Jul 2025 23:29:57 +0200 Subject: [PATCH 4/4] Update dependency-review.yml --- .github/workflows/dependency-review.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4b492f2a15..c68a09d9fc 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,5 +23,7 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false - name: 'Dependency Review' uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1