From b72d1ae33e822682215257901992765c53894193 Mon Sep 17 00:00:00 2001 From: Behnaz Hassanshahi Date: Wed, 18 May 2022 09:06:40 +1000 Subject: [PATCH] feat: add scorecards analysis workflow (#105) --- .github/workflows/check-and-release-main.yaml | 23 ++++++-- .github/workflows/codeql-analysis.yaml | 13 ++-- .github/workflows/pull-request.yaml | 26 ++++++-- .github/workflows/release-notifications.yaml | 7 ++- .github/workflows/scorecards-analysis.yaml | 59 +++++++++++++++++++ UPSTREAM_README.md | 2 + 6 files changed, 115 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/scorecards-analysis.yaml diff --git a/.github/workflows/check-and-release-main.yaml b/.github/workflows/check-and-release-main.yaml index f59d73ac..93896561 100644 --- a/.github/workflows/check-and-release-main.yaml +++ b/.github/workflows/check-and-release-main.yaml @@ -5,6 +5,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: check: name: Check Python ${{ matrix.python }} on ${{ matrix.os }} @@ -15,9 +18,14 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] python: ['3.9', '3.10'] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies @@ -33,15 +41,22 @@ jobs: - name: Build the docs run: make docs release: + permissions: + contents: write # for relekang/python-semantic-release to push release notes and new commits/tags needs: check name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 with: fetch-depth: 0 - name: Python Semantic Release - uses: relekang/python-semantic-release@v7.28.1 + uses: relekang/python-semantic-release@595352a8fb97f219cb8362e2a13e4f59d8064aa0 with: github_token: ${{ secrets.GITHUB_TOKEN }} pypi_token: '' # We don't publish to PyPi: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 54c45d68..60357ea8 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -33,11 +33,16 @@ jobs: python: ['3.9', '3.10'] steps: + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python ${{ matrix.python }} - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies @@ -47,7 +52,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853 with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yaml @@ -60,4 +65,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853 diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 6b9a34f3..03e1d62e 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -6,19 +6,28 @@ name: Pull Request on: pull_request: - branches: - - '*' + branches: [main, staging] types: - opened - edited - synchronize +permissions: + contents: read + jobs: pr: + permissions: + pull-requests: read # for CondeNast/conventional-pull-request-action to get specific PR & list commits name: Lint PR title runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: CondeNast/conventional-pull-request-action@v0.1.2 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 + - uses: CondeNast/conventional-pull-request-action@eef02ae6e88e4b462f39931113b1a75cc275beee env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -34,9 +43,14 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] python: ['3.9', '3.10'] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies diff --git a/.github/workflows/release-notifications.yaml b/.github/workflows/release-notifications.yaml index 8f901ab0..720ccf5e 100644 --- a/.github/workflows/release-notifications.yaml +++ b/.github/workflows/release-notifications.yaml @@ -14,7 +14,12 @@ jobs: if: ${{ false }} runs-on: ubuntu-latest steps: - - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da # v1.18.0 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da with: payload: | { diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml new file mode 100644 index 00000000..0a37b470 --- /dev/null +++ b/.github/workflows/scorecards-analysis.yaml @@ -0,0 +1,59 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: 27 20 * * 1 + push: + branches: [main] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + actions: read + contents: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - name: Checkout code + uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@e7a29c14e6b337cf4310c70d1e9cd1565f0e9025 + with: + results_file: results.sarif + results_format: sarif + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). + - name: Upload artifact + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 + with: + name: SARIF file + path: results.sarif + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 + with: + sarif_file: results.sarif diff --git a/UPSTREAM_README.md b/UPSTREAM_README.md index df92f4f0..7540e043 100644 --- a/UPSTREAM_README.md +++ b/UPSTREAM_README.md @@ -54,6 +54,8 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/ [CodeQL](https://codeql.github.com/) is enabled to scan the Python code for security vulnerabilities. You can adjust the GitHub Actions workflow at `.github/workflows/codeql-analysis.yaml` and the configuration file at `.github/codeql/codeql-config.yaml` to add more languages, change the default paths, scan schedule, and queries. +[OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0-10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at OpenSSF. We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked. + Additionally, the [bandit](https://github.com/PyCQA/bandit) tool is being installed as part of a development environment (i.e. the `[dev]` package extra); however, bandit does not run automatically! Instead, you can invoke it manually: ```bash