From 8d2b2a85ab15202d41133a4a07cb40a61a9e37db Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Thu, 4 Jul 2024 11:42:17 -0700 Subject: [PATCH] [StepSecurity] Apply security best practices (#6853) Signed-off-by: StepSecurity Bot --- .github/workflows/codeql-analysis.yml | 8 ++-- .github/workflows/nightly.yaml | 36 ++++++++-------- .github/workflows/post-merge.yaml | 22 +++++----- .github/workflows/post-tag.yaml | 18 ++++---- .github/workflows/pull-request.yaml | 60 +++++++++++++-------------- wasm/Dockerfile | 2 +- 6 files changed, 73 insertions(+), 73 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 28b7a55cbe..34ae7379f0 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -30,20 +30,20 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -59,4 +59,4 @@ jobs: make build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml index 080e666ae8..755f21bc1d 100644 --- a/.github/workflows/nightly.yaml +++ b/.github/workflows/nightly.yaml @@ -11,13 +11,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Test with Race Detector run: CGO_ENABLED=1 make ci-go-race-detector - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -30,14 +30,14 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} @@ -49,7 +49,7 @@ jobs: run: find ast/testdata/fuzz ! -name '*.stmt' ! -type d -print -exec cat {} \; - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -62,7 +62,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Benchmark Test Golang run: make ci-go-perf @@ -71,7 +71,7 @@ jobs: DOCKER_RUNNING: 0 - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -84,14 +84,14 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Vendor without proxy run: make check-go-module timeout-minutes: 30 - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -104,14 +104,14 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code # needed for .trivyignore file - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - run: "docker pull openpolicyagent/opa:edge-static" # Equivalent to: # $ trivy image openpolicyagent/opa:edge-static - name: Run Trivy scan on image - uses: aquasecurity/trivy-action@0.23.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 with: image-ref: 'openpolicyagent/opa:edge-static' format: table @@ -121,7 +121,7 @@ jobs: severity: CRITICAL,HIGH - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -134,12 +134,12 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 # Equivalent to: # $ trivy fs . - name: Run Trivy scan on repo - uses: aquasecurity/trivy-action@0.23.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 with: scan-type: fs format: table @@ -149,7 +149,7 @@ jobs: severity: CRITICAL,HIGH - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} @@ -161,13 +161,13 @@ jobs: name: Go vulnerability check runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} @@ -175,7 +175,7 @@ jobs: - run: govulncheck ./... - name: Slack Notification - uses: 8398a7/action-slack@v3 + uses: 8398a7/action-slack@28ba43ae48961b90635b50953d216767a6bea486 # v3.16.2 env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK }} if: ${{ failure() && env.SLACK_WEBHOOK_URL }} diff --git a/.github/workflows/post-merge.yaml b/.github/workflows/post-merge.yaml index 47b95773f9..770543ebc0 100644 --- a/.github/workflows/post-merge.yaml +++ b/.github/workflows/post-merge.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: token: ${{ secrets.GH_PUSH_TOKEN }} # required to push to protected branch below @@ -72,7 +72,7 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Unit Test Golang run: make ci-go-test-coverage @@ -84,7 +84,7 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build Linux and Windows run: make ci-go-ci-build-linux ci-go-ci-build-linux-static ci-go-ci-build-windows @@ -100,7 +100,7 @@ jobs: TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - name: Upload binaries - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: binaries-linux-windows @@ -112,14 +112,14 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} @@ -132,7 +132,7 @@ jobs: TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - name: Upload binaries (darwin) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: binaries-darwin @@ -144,21 +144,21 @@ jobs: needs: [release-build, release-build-darwin] steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Test run: make ci-release-test timeout-minutes: 60 - name: Download release binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: binaries-* merge-multiple: true path: _release - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - name: Deploy OPA Edge env: @@ -178,7 +178,7 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build and Push opa-wasm-builder env: diff --git a/.github/workflows/post-tag.yaml b/.github/workflows/post-tag.yaml index 0fd94114ff..f061b7b42d 100644 --- a/.github/workflows/post-tag.yaml +++ b/.github/workflows/post-tag.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: token: ${{ secrets.GH_PUSH_TOKEN }} @@ -24,7 +24,7 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build Linux and Windows run: make ci-go-ci-build-linux ci-go-ci-build-linux-static ci-go-ci-build-windows @@ -40,7 +40,7 @@ jobs: TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - name: Upload binaries - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: binaries-linux-windows @@ -52,14 +52,14 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} @@ -72,7 +72,7 @@ jobs: TELEMETRY_URL: ${{ secrets.TELEMETRY_URL }} - name: Upload binaries (darwin) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: always() with: name: binaries-darwin @@ -84,21 +84,21 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set TAG_NAME in Environment # Subsequent jobs will be have the computed tag name run: echo "TAG_NAME=${GITHUB_REF##*/}" >> $GITHUB_ENV - name: Download release binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: binaries-* merge-multiple: true path: _release - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - name: Build and Deploy OPA Docker Images id: build-and-deploy diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 1f9d3927a7..6435940788 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -16,13 +16,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Generate run: make clean generate - name: Upload generated artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: generated path: | @@ -65,20 +65,20 @@ jobs: arch: arm64 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} if: matrix.os == 'darwin' - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated @@ -89,14 +89,14 @@ jobs: timeout-minutes: 30 - name: Upload binaries - No Go tags - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ matrix.go_tags == '' }} with: name: binaries-${{ matrix.os }}-${{ matrix.arch }} path: _release - name: Upload binaries - Go tag variants - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 if: ${{ matrix.go_tags != '' && matrix.variant_name != '' }} with: name: binaries-variant-${{ matrix.os }}-${{ matrix.arch }}-${{ matrix.variant_name }} @@ -116,19 +116,19 @@ jobs: run: macos-14 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - id: go_version name: Read go version run: echo "go_version=$(cat .go-version)" >> $GITHUB_OUTPUT - name: Install Go (${{ steps.go_version.outputs.go_version }}) - uses: actions/setup-go@v5 + uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ steps.go_version.outputs.go_version }} - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated @@ -141,7 +141,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Golang Style and Lint Check run: make check @@ -152,7 +152,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: YAML Style and Lint Check run: make check-yaml-tests @@ -166,10 +166,10 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Check PR for changes to Wasm - uses: dorny/paths-filter@v3 + uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 id: changes with: filters: | @@ -184,7 +184,7 @@ jobs: - 'test/cases/**' - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated if: steps.changes.outputs.wasm == 'true' @@ -207,10 +207,10 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated @@ -226,10 +226,10 @@ jobs: needs: generate steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated @@ -244,15 +244,15 @@ jobs: needs: go-build steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 with: platforms: arm64 - name: Download release binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: pattern: binaries-* merge-multiple: true @@ -298,10 +298,10 @@ jobs: steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download release binaries - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: binaries-${{ matrix.os }}-${{ matrix.arch }} path: _release @@ -323,12 +323,12 @@ jobs: os: [ubuntu-22.04, macos-14] version: ["1.21"] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download generated artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 with: name: generated - - uses: actions/setup-go@v5 + - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1 with: go-version: ${{ matrix.version }} - run: make build @@ -344,10 +344,10 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Download OPA - uses: open-policy-agent/setup-opa@v2 + uses: open-policy-agent/setup-opa@34a30e8a924d1b03ce2cf7abe97250bbb1f332b5 # v2.2.0 with: version: edge @@ -372,7 +372,7 @@ jobs: if: ${{ failure() }} - name: Setup Hugo - uses: peaceiris/actions-hugo@v3 + uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0 with: # keep this version in sync with the version in netlify.toml hugo-version: "0.113.0" diff --git a/wasm/Dockerfile b/wasm/Dockerfile index 8e382e5941..e26c4924dc 100644 --- a/wasm/Dockerfile +++ b/wasm/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:0b897358ff6624825fb50d20ffb605ab0eaea77ced0adb8c6a4b756513dec6fc ARG WABT_VERSION=1.0.24 ARG BINARYEN_VERSION=version_102