step-security
diff --git a/‎README.md
Lines changed: 51 additions & 102 deletions b/‎README.md
Lines changed: 51 additions & 102 deletions
diff --git a/‎images/SecureWorkflowsIntegration.png
104 KB b/‎images/SecureWorkflowsIntegration.png
104 KB
diff --git a/‎images/dependabot-example.png
42.5 KB b/‎images/dependabot-example.png
42.5 KB
diff --git a/‎images/harden-runner-example.png
59.2 KB b/‎images/harden-runner-example.png
59.2 KB
diff --git a/‎images/pin-example.png
88.7 KB b/‎images/pin-example.png
88.7 KB
diff --git a/‎images/secure-repo.gif
2.76 MB b/‎images/secure-repo.gif
2.76 MB
diff --git a/‎images/token-perm-example.png
67.3 KB b/‎images/token-perm-example.png
67.3 KB
@@ -16,13 +16,13 @@ Secure GitHub Actions CI/CD workflows via automated remediations
 </div>
 
 <p align="center">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/secure-repo.gif" alt="Secure repo screenshot" >
+  <img src="images/secure-repo.gif" alt="Secure repo screenshot" >
 </p>
 
 <h3>
   <a href="#quickstart">Quickstart</a>
   <span> • </span>
-  <a href="#functionality-overview">Functionality Overview</a> 
+  <a href="#functionality-overview">Functionality</a> 
    <span> • </span>
   <a href="#contributing">Contributing</a>  
 </h3>
@@ -34,24 +34,24 @@ Secure GitHub Actions CI/CD workflows via automated remediations
 To secure GitHub Actions workflows using a pull request:
 
 - Go to https://app.stepsecurity.io/securerepo and enter your public GitHub repository
-- Login using your GitHub Account (no need to install any App or grant `write` access)
-- View recommendations and click `Create pull request`. Here is a [sample pull request](https://github.com/Kapiche/cobertura-action/pull/60).
+- Log in using your GitHub Account (no need to install any App or grant `write` access)
+- View recommendations and click `Create pull request.` Here is an example pull request: https://github.com/electron/electron/pull/36343.
 
 ### Integration with OpenSSF Scorecard
 
 - Add [OpenSSF Scorecards](https://github.com/ossf/scorecard-action) starter workflow
 - View the Scorecard results in GitHub Code Scanning UI
-- Follow remediation tip that points to https://app.stepsecurity.io
+- Follow the remediation tip that points to https://app.stepsecurity.io
 
-<p align="left">
-  <img src="https://github.com/step-security/supply-chain-goat/blob/main/images/secure-workflows/SecureWorkflowsIntegration.png" alt="Secure workflow Scorecard integration screenshot" width="60%">
+<p align="center">
+  <img src="images/SecureWorkflowsIntegration.png" alt="Secure workflow Scorecard integration screenshot" width="600">
 </p>
 
 ### Self Hosted
 
 To create an instance of Secure Workflows, deploy _cloudformation/ecr.yml_ and _cloudformation/resources.yml_ CloudFormation templates in your AWS account. You can take a look at _.github/workflows/release.yml_ for reference.
 
-## Functionality Overview
+## Functionality
 
 Secure Workflows
 
@@ -64,87 +64,42 @@ Secure Workflows
 #### Why is this needed?
 
 - The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API
-- If the token is compromised, it can be abused to compromise your environment (e.g. to overwrite releases or source code). This will also impact everyone who use your software in their software supply chain.
+- If the token is compromised, it can be abused to compromise your environment (e.g., to overwrite releases or source code). This compromise will also impact everyone using your software in their supply chain.
 - To limit the damage, [GitHub recommends setting minimum token permissions for the GITHUB_TOKEN](https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/).
 
 #### Before and After the fix
 
-Before the fix, your workflow may look like this (no permissions set)
-
-```yaml
-jobs:
-  closeissue:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Close Issue
-        uses: peter-evans/close-issue@v1
-        with:
-          issue-number: 1
-          comment: Auto-closing issue
-```
-
-After the fix, the workflow will have minimum permissions added for the GITHUB token.
-
-```yaml
-permissions:
-  contents: read
-
-jobs:
-  closeissue:
-    permissions:
-      issues: write # for peter-evans/close-issue to close issues
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Close Issue
-        uses: peter-evans/close-issue@v1
-        with:
-          issue-number: 1
-          comment: Auto-closing issue
-```
+**Pull request example**: https://github.com/nginxinc/kubernetes-ingress/pull/3134
+
+In this pull request, minimum permissions are set automatically for the GITHUB_TOKEN
+
+<p align="center"><img src="images/token-perm-example.png" alt="Screenshot of token permissions set in a workflow" width="600" /></p>
 
 #### How does SecureWorkflows fix this issue?
 
 - SecureWorkflows stores the permissions needed by different GitHub Actions in a [knowledge base](<(https://github.com/step-security/secure-workflows/tree/main/knowledge-base/actions)>)
-- It looks up the permissions needed by each Action in your workflow, and sums the permissions up to come up with a final recommendation
+- It looks up the permissions needed by each Action in your workflow and sums the permissions up to come up with a final recommendation
 - If you are the owner of a GitHub Action, please [contribute to the knowledge base](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/README.md)
 
 ### 2. Pin Actions to a full length commit SHA
 
 #### Why is this needed?
 
-- GitHub Action tags and Docker tags are mutatble. This poses a security risk
+- GitHub Action tags and Docker tags are mutable, which poses a security risk
 - If the tag changes you will not have a chance to review the change before it gets used
 - GitHub's Security Hardening for GitHub Actions guide [recommends pinning actions to full length commit for third party actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).
 
 #### Before and After the fix
 
 Before the fix, your workflow may look like this (use of `v1` and `latest` tags)
 
-```yaml
-jobs:
-  integration-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v1
-      - name: Integration test
-        uses: docker://ghcr.io/step-security/integration-test/int:latest
-```
-
-After the fix, each Action and docker image will be pinned to an immutable checksum.
-
-```yaml
-jobs:
-  integration-test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
-      - name: Integration test
-        uses: docker://ghcr.io/step-security/integration-test/int@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0
-```
+After the fix, SecureWorkflows pins each Action and docker image to an immutable checksum.
+
+**Pull request example**: https://github.com/electron/electron/pull/36343
+
+In this pull request, the workflow file has the GitHub Actions tags pinned automatically to their full-length commit SHA.
+
+<p align="center"><img src="images/pin-example.png" alt="Screenshot of Action pinned to commit SHA" width="600" /></p>
 
 #### How does SecureWorkflows fix this issue?
 
@@ -159,45 +114,39 @@ jobs:
 
 #### Before and After the fix
 
-Before the fix, your workflow may look like this
-
-```yaml
-jobs:
-  closeissue:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Close Issue
-        uses: peter-evans/close-issue@v1
-        with:
-          issue-number: 1
-          comment: Auto-closing issue
-```
-
-After the fix, each workflow has the harden-runner Action added as the first step.
-
-```yaml
-jobs:
-  closeissue:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@v2
-        with:
-          egress-policy: audit
-
-      - name: Close Issue
-        uses: peter-evans/close-issue@v1
-        with:
-          issue-number: 1
-          comment: Auto-closing issue
-```
+**Pull request example**: https://github.com/python-attrs/attrs/pull/1034
+
+This pull request adds the Harden Runner GitHub Action to the workflow file.
+
+<p align="center"><img src="images/harden-runner-example.png" width="600" alt="Screenshot of Harden-Runner GitHub Action added to a workflow" /></p>
 
 #### How does SecureWorkflows fix this issue?
 
 SecureWorkflows updates the YAML file and adds [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner) as the first step to each job.
 
+### 4. Add or update Dependabot configuration
+
+#### Why is this needed?
+
+- You enable Dependabot version updates by checking a `dependabot.yml` configuration file into your repository
+- Dependabot ensures that your repository automatically keeps up with the latest releases of the packages and applications it depends on
+
+#### Before and After the fix
+
+Before the fix, you might not have a `dependabot.yml` file or it might not cover all ecosystems used in your project.
+
+After the fix, the `dependabot.yml` file is added or updated with configuration for all package ecosystems used in your project.
+
+**Pull request example**: https://github.com/muir/libschema/pull/31
+
+This pull request updates the Dependabot configuration.
+
+<p align="center"><img src="images/dependabot-example.png" width="600" alt="Screenshot of Dependabot config updated" /></p>
+
+#### How does SecureWorkflows fix this issue?
+
+SecureWorkflows updates the `dependabot.yml` file to add missing ecosystems. For example, if the Dependabot configuration updates npm packages but not GitHub Actions, it is updated to add the GitHub Actions ecosystem.
+
 ## Contributing
 
 Contributions are welcome!