Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[StepSecurity] Apply security best practices #3314

Merged

Conversation

step-security-bot
Copy link
Contributor

Summary

This pull request is created by Secure Workflows at the request of @simi. Please merge the Pull Request to incorporate the requested changes. Please tag @simi on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The least privilged token permissions were calculate using Secure WorkFlows based on the actions included in the GitHub Workflow files. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Pinned Dependencies

A pinned dependency is a dependency that is explicitly set to a specific hashed version instead of a mutable version. Pinned dependencis ensure that development and deployment are done with the same software versions which reduces deployment risks, and enables reproducibility. It can help mitigate compromised dependencies from undermining the security of the project in certain scenarios. The dependencies were pinned using Secure WorkFlows

Keeping your actions up to date with Dependabot

The package ecosystem to update github-actions is added using Secure WorkFlows. This is recommended by GitHub as well as The Open Source Security Foundation (OpenSSF).

Detect Vulnerabilities with SAST Workflow

Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as clear-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-workflows. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
@codecov
Copy link

codecov bot commented Dec 26, 2022

Codecov Report

Merging #3314 (b47cc6a) into master (9b69e2a) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #3314   +/-   ##
=======================================
  Coverage   98.52%   98.52%           
=======================================
  Files         113      113           
  Lines        3390     3390           
=======================================
  Hits         3340     3340           
  Misses         50       50           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@simi
Copy link
Member

simi commented Jan 16, 2023

I'll merge this and try to fix each individual problem in following PRs. 🙏

@simi simi merged commit 3f76535 into rubygems:master Jan 16, 2023
@simi simi mentioned this pull request Jan 16, 2023
@rubygems-org-shipit rubygems-org-shipit bot temporarily deployed to staging January 16, 2023 22:57 Inactive
@rubygems-org-shipit rubygems-org-shipit bot temporarily deployed to production January 18, 2023 15:12 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants