Merge pull request #1901 from step-security/rename-secure-repo

varunsh-coder · web-flow · commit ee3b1ddff60b · 2023-02-06T21:40:37.000-08:00
Update README for rename to secure-repo
diff --git a/README.md b/README.md
@@ -1,17 +1,15 @@
-<p align="center"><img src="images/banner.png" height="80" /></p>
-
-<h1 align="center">Secure Workflows</h1>
+<p align="center"><img src="images/banner1.png" height="80" /></p>
 
 <p align="center">
-Secure GitHub Actions CI/CD workflows via automated remediations
+Secure your GitHub repo with ease through automated security fixes
 </p>
 
 <div align="center">
 
-[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=secure-workflows)
-[![Go Report Card](https://goreportcard.com/badge/github.com/step-security/secure-workflows)](https://goreportcard.com/report/github.com/step-security/secure-workflows)
-[![codecov](https://codecov.io/gh/step-security/secure-workflows/branch/main/graph/badge.svg?token=02ONA6U92A)](https://codecov.io/gh/step-security/secure-workflows)
-[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/secure-workflows/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/secure-workflows)
+[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github&utm_medium=organic_oss&utm_campaign=secure-repo)
+[![Go Report Card](https://goreportcard.com/badge/github.com/step-security/secure-repo)](https://goreportcard.com/report/github.com/step-security/secure-repo)
+[![codecov](https://codecov.io/gh/step-security/secure-repo/branch/main/graph/badge.svg?token=02ONA6U92A)](https://codecov.io/gh/step-security/secure-repo)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/secure-repo/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/secure-repo)
 
 </div>
 
@@ -31,7 +29,7 @@ Secure GitHub Actions CI/CD workflows via automated remediations
 
 ### Hosted Instance: [app.stepsecurity.io/securerepo](https://app.stepsecurity.io/securerepo)
 
-To secure GitHub Actions workflows using a pull request:
+To secure your GitHub repo using a pull request:
 
 - Go to https://app.stepsecurity.io/securerepo and enter your public GitHub repository
 - Log in using your GitHub Account (no need to install any App or grant `write` access)
@@ -44,7 +42,7 @@ To secure GitHub Actions workflows using a pull request:
 - Follow the remediation tip that points to https://app.stepsecurity.io
 
 <p align="center">
-  <img src="images/SecureWorkflowsIntegration.png" alt="Secure workflow Scorecard integration screenshot" width="600">
+  <img src="images/SecureWorkflowsIntegration.png" alt="Secure repo Scorecard integration screenshot" width="600">
 </p>
 
 ### Self Hosted
@@ -75,11 +73,11 @@ In this pull request, minimum permissions are set automatically for the GITHUB_T
 
 <p align="center"><img src="images/token-perm-example.png" alt="Screenshot of token permissions set in a workflow" width="600" /></p>
 
-#### How does SecureWorkflows fix this issue?
+#### How does Secure-Repo fix this issue?
 
-- SecureWorkflows stores the permissions needed by different GitHub Actions in a [knowledge base](<(https://github.com/step-security/secure-workflows/tree/main/knowledge-base/actions)>)
+- Secure-Repo stores the permissions needed by different GitHub Actions in a [knowledge base](<(https://github.com/step-security/secure-repo/tree/main/knowledge-base/actions)>)
 - It looks up the permissions needed by each Action in your workflow and sums the permissions up to come up with a final recommendation
-- If you are the owner of a GitHub Action, please [contribute to the knowledge base](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/README.md)
+- If you are the owner of a GitHub Action, please [contribute to the knowledge base](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md)
 
 ### 2. Pin Actions to a full length commit SHA
 
@@ -93,17 +91,17 @@ In this pull request, minimum permissions are set automatically for the GITHUB_T
 
 Before the fix, your workflow may look like this (use of `v1` and `latest` tags)
 
-After the fix, SecureWorkflows pins each Action and docker image to an immutable checksum.
+After the fix, Secure-Repo pins each Action and docker image to an immutable checksum.
 
 **Pull request example**: https://github.com/electron/electron/pull/36343
 
 In this pull request, the workflow file has the GitHub Actions tags pinned automatically to their full-length commit SHA.
 
 <p align="center"><img src="images/pin-example.png" alt="Screenshot of Action pinned to commit SHA" width="600" /></p>
 
-#### How does SecureWorkflows fix this issue?
+#### How does Secure-Repo fix this issue?
 
-- SecureWorkflows automates the process of getting the commit SHA for each mutable Action version or Docker image tag
+- Secure-Repo automates the process of getting the commit SHA for each mutable Action version or Docker image tag
 - It does this by using GitHub and Docker registry APIs
 
 ### 3. Add Harden-Runner GitHub Action to each job
@@ -120,9 +118,9 @@ This pull request adds the Harden Runner GitHub Action to the workflow file.
 
 <p align="center"><img src="images/harden-runner-example.png" width="600" alt="Screenshot of Harden-Runner GitHub Action added to a workflow" /></p>
 
-#### How does SecureWorkflows fix this issue?
+#### How does Secure-Repo fix this issue?
 
-SecureWorkflows updates the YAML file and adds [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner) as the first step to each job.
+Secure-Repo updates the YAML file and adds [Harden-Runner GitHub Action](https://github.com/step-security/harden-runner) as the first step to each job.
 
 ### 4. Add or update Dependabot configuration
 
@@ -143,9 +141,9 @@ This pull request updates the Dependabot configuration.
 
 <p align="center"><img src="images/dependabot-example.png" width="600" alt="Screenshot of Dependabot config updated" /></p>
 
-#### How does SecureWorkflows fix this issue?
+#### How does Secure-Repo fix this issue?
 
-SecureWorkflows updates the `dependabot.yml` file to add missing ecosystems. For example, if the Dependabot configuration updates npm packages but not GitHub Actions, it is updated to add the GitHub Actions ecosystem.
+Secure-Repo updates the `dependabot.yml` file to add missing ecosystems. For example, if the Dependabot configuration updates npm packages but not GitHub Actions, it is updated to add the GitHub Actions ecosystem.
 
 ### 5. Add CodeQL workflow (SAST)
 
@@ -163,12 +161,12 @@ After the fix, a `codeql.yml` GitHub Actions workflow gets added to your project
 
 This pull request adds CodeQL to the list of workflows.
 
-#### How does SecureWorkflows fix this issue?
+#### How does Secure-Repo fix this issue?
 
-SecureWorkflows has a [workflow-templates](https://github.com/step-security/secure-workflows/tree/main/workflow-templates) folder. This folder has the default CodeQL workflow, which gets added as part of the pull request. The placeholder for languages in the template gets replaced with languages for your GitHub repository.
+Secure-Repo has a [workflow-templates](https://github.com/step-security/secure-repo/tree/main/workflow-templates) folder. This folder has the default CodeQL workflow, which gets added as part of the pull request. The placeholder for languages in the template gets replaced with languages for your GitHub repository.
 
 ## Contributing
 
 Contributions are welcome!
 
-If you are the owner of a GitHub Action, please contribute information about the use of GITHUB_TOKEN for your Action. This will enable the community to automatically calculate minimum token permissions for the GITHUB_TOKEN for their workflows. Check out the [Contributing Guide](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/README.md)
+If you are the owner of a GitHub Action, please contribute information about the use of GITHUB_TOKEN for your Action. This will enable the community to automatically calculate minimum token permissions for the GITHUB_TOKEN for their workflows. Check out the [Contributing Guide](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/README.md)
diff --git a/images/banner1.png b/images/banner1.png
diff --git a/knowledge-base/actions/README.md b/knowledge-base/actions/README.md
@@ -6,7 +6,7 @@ If you are the owner of a GitHub Action, please contribute information about the
 
 To contribute information about the use of `GITHUB_TOKEN` for your Action:
 
-1. Add a folder for your GitHub Action under the [`knowledge-base/actions`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/) folder. It should match the path of your GitHub Action's `action.yml` file. As an example, 
+1. Add a folder for your GitHub Action under the [`knowledge-base/actions`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/) folder. It should match the path of your GitHub Action's `action.yml` file. As an example, 
    - If your GitHub Action's `action.yml` file is at the root, e.g. https://github.com/stelligent/cfn_nag/blob/master/action.yml, the path should be `knowledge-base/actions/stelligent/cfn_nag`
    - If your GitHub Action's `action.yml` file is in a sub folder, e.g. at https://github.com/snyk/actions/blob/master/gradle/action.yml, the path should be `knowledge-base/actions/snyk/actions/gradle`
 2. In the folder for your GitHub Action, add an `action-security.yml` file.
@@ -19,7 +19,7 @@ For this scenario,
 1. Add a `name` attribute in your `action-security.yml` file. You can set the name to be same as the name in your `action.yml` file. 
 2. In a comment just mention that the GitHub token is not used. 
 
-Here is an [example](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/stelligent/cfn_nag/action-security.yml). 
+Here is an [example](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/stelligent/cfn_nag/action-security.yml). 
 
 ``` yaml
 name: 'Stelligent cfn_nag' # stelligent/cfn_nag
@@ -33,13 +33,13 @@ Note: if your Action just uses `metadata` permission to overcome throttle limits
 For this scenario, follow these steps:
 1. Add a `name` attribute in your `action-security.yml` file. You can set the name to be same as the name in your `action.yml` file. 
 2. Mention where you expect the GitHub token.
-    - If you expect it as an environment variable, you specify it this way. Here is an [example](https://github.com/step-security/secure-workflows/blob/00c05310c1c97a91b98c46f904e857a617a2fc02/knowledge-base/actions/dev-drprasad/delete-tag-and-release/action-security.yml):
+    - If you expect it as an environment variable, you specify it this way. Here is an [example](https://github.com/step-security/secure-repo/blob/00c05310c1c97a91b98c46f904e857a617a2fc02/knowledge-base/actions/dev-drprasad/delete-tag-and-release/action-security.yml):
     ``` yaml
     name: Delete tag and release
     github-token:
       environment-variable-name: GITHUB_TOKEN      
     ```
-    - If you expect it as an action input, you specify it as shown below. If you set the default value for the token to be the GITHUB_TOKEN, then set the “is-default” attribute to true. Here is an [example](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/irongut/editrelease/action-security.yml):
+    - If you expect it as an action input, you specify it as shown below. If you set the default value for the token to be the GITHUB_TOKEN, then set the “is-default” attribute to true. Here is an [example](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/irongut/editrelease/action-security.yml):
     ``` yaml
     name: 'Edit Release'
     github-token:
@@ -48,7 +48,7 @@ For this scenario, follow these steps:
         is-default: false      
     ```
   3. Mention the permissions needed and a reason for the permissions. The reason must start with the word `to`. 
-  Here is an [example](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/peter-evans/create-or-update-comment/action-security.yml):
+  Here is an [example](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/peter-evans/create-or-update-comment/action-security.yml):
   ``` yaml
   name: 'Create or Update Comment'
   github-token:
@@ -78,7 +78,7 @@ The above two scenarios should take care of most of the cases. For more advanced
 
 This example is for `peter-evans/close-issue` GitHub Action. It shows that the Action expects GitHub token as an action input, the name of the input is `token`, and that it is set to `GITHUB_TOKEN` as the default value. It also shows that the permissions needed for the Action are `issues: write` and the reason for that permission is specified in the `issues-reason` key.
 
-[`knowledge-base/actions/peter-evans/close-issue/action-security.yml`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/peter-evans/close-issue/action-security.yml)
+[`knowledge-base/actions/peter-evans/close-issue/action-security.yml`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/peter-evans/close-issue/action-security.yml)
 
 ``` yaml
 github-token:
@@ -110,7 +110,7 @@ github-token:
 
 This example is for `github/super-linter` GitHub Action. It shows that the Action expects GitHub token as an environment variable, the name of the environment variable is `GITHUB_TOKEN`. It also shows that the permissions needed for the Action are `statuses: write` and the reason for that permission is specified in the `statuses-reason` key.
 
-[`knowledge-base/actions/github/super-linter/action-security.yml`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/github/super-linter/action-security.yml)
+[`knowledge-base/actions/github/super-linter/action-security.yml`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/github/super-linter/action-security.yml)
 
 ``` yaml
 name: 'Super-Linter'
@@ -129,7 +129,7 @@ github-token:
 
 This example is for `actions/setup-node` GitHub Action. It shows that the Action expects GitHub token as an Action input. The permissions key is set, but no scopes are defined, since it only uses it for rate-limiting.
 
-[`knowledge-base/actions/actions/setup-node/action-security.yml`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/actions/setup-node/action-security.yml)
+[`knowledge-base/actions/actions/setup-node/action-security.yml`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/actions/setup-node/action-security.yml)
 
 ``` yaml
 name: 'Setup Node.js environment'
@@ -152,7 +152,7 @@ github-token:
 
 As an example, consider this `action-security.yml` for `peter-evans/close-issue` GitHub Action.
 
-[`knowledge-base/actions/peter-evans/close-issue/action-security.yml`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/peter-evans/close-issue/action-security.yml)
+[`knowledge-base/actions/peter-evans/close-issue/action-security.yml`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/peter-evans/close-issue/action-security.yml)
 
 ``` yaml
 github-token:
@@ -189,7 +189,7 @@ jobs:
 
 As an example, consider this `action-security.yml` for `dessant/lock-threads` GitHub Action. The `issues` scope only applies if either the `with` (action input) does not have `process-only` or `process-only` is set to `issues`.
 
-[`knowledge-base/actions/dessant/lock-threads/action-security.yml`](https://github.com/step-security/secure-workflows/blob/main/knowledge-base/actions/dessant/lock-threads/action-security.yml)
+[`knowledge-base/actions/dessant/lock-threads/action-security.yml`](https://github.com/step-security/secure-repo/blob/main/knowledge-base/actions/dessant/lock-threads/action-security.yml)
 
 ``` yaml
 github-token:
