From 04d0293504affd8330af17b64b579a2ba7340496 Mon Sep 17 00:00:00 2001 From: behnazh Date: Wed, 19 Jan 2022 06:45:55 +1000 Subject: [PATCH 1/3] feat: add scorecards analysis workflow --- .github/workflows/pull-request.yaml | 3 +- .github/workflows/scorecards-analysis.yaml | 55 ++++++++++++++++++++++ 2 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/scorecards-analysis.yaml diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 6b9a34f3..cd88acd9 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -6,8 +6,7 @@ name: Pull Request on: pull_request: - branches: - - '*' + branches: [main, staging] types: - opened - edited diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml new file mode 100644 index 00000000..93eb6f38 --- /dev/null +++ b/.github/workflows/scorecards-analysis.yaml @@ -0,0 +1,55 @@ +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: 27 20 * * 1 + push: + branches: [main, staging, add-scorecard] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + actions: read + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@e7a29c14e6b337cf4310c70d1e9cd1565f0e9025 # v1.0.4 + with: + results_file: results.sarif + results_format: sarif + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). + - name: Upload artifact + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 7 + + # Upload the results to GitHub's code scanning dashboard. + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + with: + sarif_file: results.sarif From 7bcee9d8d62bab748a4f4d8be608fa43388f290b Mon Sep 17 00:00:00 2001 From: behnazh Date: Wed, 11 May 2022 08:48:14 +1000 Subject: [PATCH 2/3] chore: adjust workflows based on scorecard results --- .github/workflows/check-and-release-main.yaml | 23 +++++++++++++++---- .github/workflows/codeql-analysis.yaml | 13 +++++++---- .github/workflows/pull-request.yaml | 23 +++++++++++++++---- .github/workflows/release-notifications.yaml | 7 +++++- .github/workflows/scorecards-analysis.yaml | 16 ++++++++----- 5 files changed, 63 insertions(+), 19 deletions(-) diff --git a/.github/workflows/check-and-release-main.yaml b/.github/workflows/check-and-release-main.yaml index f59d73ac..93896561 100644 --- a/.github/workflows/check-and-release-main.yaml +++ b/.github/workflows/check-and-release-main.yaml @@ -5,6 +5,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: check: name: Check Python ${{ matrix.python }} on ${{ matrix.os }} @@ -15,9 +18,14 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] python: ['3.9', '3.10'] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies @@ -33,15 +41,22 @@ jobs: - name: Build the docs run: make docs release: + permissions: + contents: write # for relekang/python-semantic-release to push release notes and new commits/tags needs: check name: Release runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 with: fetch-depth: 0 - name: Python Semantic Release - uses: relekang/python-semantic-release@v7.28.1 + uses: relekang/python-semantic-release@595352a8fb97f219cb8362e2a13e4f59d8064aa0 with: github_token: ${{ secrets.GITHUB_TOKEN }} pypi_token: '' # We don't publish to PyPi: ${{ secrets.PYPI_TOKEN }} diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml index 54c45d68..60357ea8 100644 --- a/.github/workflows/codeql-analysis.yaml +++ b/.github/workflows/codeql-analysis.yaml @@ -33,11 +33,16 @@ jobs: python: ['3.9', '3.10'] steps: + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python ${{ matrix.python }} - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies @@ -47,7 +52,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853 with: languages: ${{ matrix.language }} config-file: .github/codeql/codeql-config.yaml @@ -60,4 +65,4 @@ jobs: # queries: ./path/to/local/query, your-org/your-repo/queries@main - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853 diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index cd88acd9..03e1d62e 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -11,13 +11,23 @@ on: - opened - edited - synchronize +permissions: + contents: read + jobs: pr: + permissions: + pull-requests: read # for CondeNast/conventional-pull-request-action to get specific PR & list commits name: Lint PR title runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: CondeNast/conventional-pull-request-action@v0.1.2 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 + - uses: CondeNast/conventional-pull-request-action@eef02ae6e88e4b462f39931113b1a75cc275beee env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -33,9 +43,14 @@ jobs: os: [ubuntu-latest, macos-latest, windows-latest] python: ['3.9', '3.10'] steps: - - uses: actions/checkout@v3 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 - name: Set up Python - uses: actions/setup-python@v3.1.2 + uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 with: python-version: ${{ matrix.python }} - name: Install dependencies diff --git a/.github/workflows/release-notifications.yaml b/.github/workflows/release-notifications.yaml index 8f901ab0..720ccf5e 100644 --- a/.github/workflows/release-notifications.yaml +++ b/.github/workflows/release-notifications.yaml @@ -14,7 +14,12 @@ jobs: if: ${{ false }} runs-on: ubuntu-latest steps: - - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da # v1.18.0 + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + + - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da with: payload: | { diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 93eb6f38..261d4a97 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -5,7 +5,7 @@ on: schedule: - cron: 27 20 * * 1 push: - branches: [main, staging, add-scorecard] + branches: [main] # Declare default permissions as read only. permissions: read-all @@ -21,13 +21,18 @@ jobs: contents: read steps: + - name: Harden Runner + uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 + with: + egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs + - name: Checkout code - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@e7a29c14e6b337cf4310c70d1e9cd1565f0e9025 # v1.0.4 + uses: ossf/scorecard-action@e7a29c14e6b337cf4310c70d1e9cd1565f0e9025 with: results_file: results.sarif results_format: sarif @@ -42,14 +47,13 @@ jobs: # Upload the results as artifacts (optional). - name: Upload artifact - uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 with: name: SARIF file path: results.sarif - retention-days: 7 # Upload the results to GitHub's code scanning dashboard. - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 with: sarif_file: results.sarif From 11bedb02ae353797076b7d1ff02fa148c6426dea Mon Sep 17 00:00:00 2001 From: behnazh Date: Fri, 13 May 2022 08:07:04 +1000 Subject: [PATCH 3/3] chore: add the description of Scorecard to README --- .github/workflows/scorecards-analysis.yaml | 16 ++++++++-------- UPSTREAM_README.md | 2 ++ 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/scorecards-analysis.yaml b/.github/workflows/scorecards-analysis.yaml index 261d4a97..0a37b470 100644 --- a/.github/workflows/scorecards-analysis.yaml +++ b/.github/workflows/scorecards-analysis.yaml @@ -36,23 +36,23 @@ jobs: with: results_file: results.sarif results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. publish_results: true - # Upload the results as artifacts (optional). + # Upload the results as artifacts (optional). - name: Upload artifact uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 with: name: SARIF file path: results.sarif - # Upload the results to GitHub's code scanning dashboard. + # Upload the results to GitHub's code scanning dashboard. - name: Upload to code-scanning uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 with: diff --git a/UPSTREAM_README.md b/UPSTREAM_README.md index df92f4f0..7540e043 100644 --- a/UPSTREAM_README.md +++ b/UPSTREAM_README.md @@ -54,6 +54,8 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/ [CodeQL](https://codeql.github.com/) is enabled to scan the Python code for security vulnerabilities. You can adjust the GitHub Actions workflow at `.github/workflows/codeql-analysis.yaml` and the configuration file at `.github/codeql/codeql-config.yaml` to add more languages, change the default paths, scan schedule, and queries. +[OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0-10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at OpenSSF. We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked. + Additionally, the [bandit](https://github.com/PyCQA/bandit) tool is being installed as part of a development environment (i.e. the `[dev]` package extra); however, bandit does not run automatically! Instead, you can invoke it manually: ```bash