From aac8cfeea2fbe69ab060b761e935957409652c19 Mon Sep 17 00:00:00 2001 From: srinandan Date: Fri, 8 Nov 2024 17:01:46 +0000 Subject: [PATCH] chore: fixes for ossf scorecard --- .devcontainer/Dockerfile | 13 ++++++++----- .github/workflows/codeql-analysis.yml | 10 +++++----- .github/workflows/gen-docs.yml | 22 ++++++++++++++-------- .github/workflows/golangci-lint.yml | 10 +++++----- .github/workflows/gorelease-action.yml | 12 ++++++------ Dockerfile | 4 ++-- Dockerfile.cosign | 6 +++--- Dockerfile.deploy | 5 ++--- SECURITY.md | 4 ++++ 9 files changed, 49 insertions(+), 37 deletions(-) create mode 100644 SECURITY.md diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 7df9aee5..cee7ef34 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -12,17 +12,20 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM gcr.io/projectsigstore/cosign:latest as cosign +FROM gcr.io/projectsigstore/cosign:latest@sha256:b03690aa52bfe94054187142fba24dc54137650682810633901767d8a3e15b31 AS cosign -FROM mcr.microsoft.com/devcontainers/go:1-1.22-bookworm +FROM mcr.microsoft.com/devcontainers/go:1.23-bookworm@@sha256:2e00578e7c526e76ebd51597260928d8542d27c17ffe6390d79200638c51a3e6 COPY --from=cosign /ko-app/cosign /usr/bin -RUN go install github.com/google/addlicense@latest +#v1.1.1 +RUN go install github.com/google/addlicense@@dc31ac9ffcca99c9457226366135701794b128c0 -RUN go install github.com/google/go-licenses@latest +# v1.6.0 +RUN go install github.com/google/go-licenses@5348b744d0983d85713295ea08a20cca1654a45e -RUN go install mvdan.cc/gofumpt@latest +# v0.7.0 +RUN go install mvdan.cc/gofumpt@86bffd62437a3c437c0b84d5d5ab244824e762fc RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.60.2 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6c275ec8..a38b22e7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,7 +24,7 @@ # supported CodeQL languages. # name: "CodeQL" - +permissions: read-all on: push: branches: [ "main" ] @@ -52,7 +52,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL @@ -62,11 +62,11 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs # queries: security-extended,security-and-quality - + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild @@ -75,7 +75,7 @@ jobs: # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # If the Autobuild fails above, remove it and uncomment the following three lines. + # If the Autobuild fails above, remove it and uncomment the following three lines. # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | diff --git a/.github/workflows/gen-docs.yml b/.github/workflows/gen-docs.yml index 19600523..9db9f467 100644 --- a/.github/workflows/gen-docs.yml +++ b/.github/workflows/gen-docs.yml @@ -16,10 +16,11 @@ name: integrationcli Github Pages Pipeline on: - push: + #push: # Publish semver tags as releases. - tags: - - v[0-9].[0-9]+.[0-9] + # tags: + # - v[0-9].[0-9]+.[0-9] + workflow_dispatch: jobs: publish-gh-pages: @@ -27,15 +28,20 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Code - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5 with: go-version-file: './go.mod' check-latest: true - name: Push GH Pages run: | - git config --global user.name "integrationcli Publish Action" - git config --global user.email "13950006+srinandan@users.noreply.github.com" + SHORT_SHA=$(git rev-parse --short $GITHUB_SHA) + git config pull.rebase false + git config --global user.name "$(git log -n 1 --pretty=format:%an)" + git config --global user.email "$(git log -n 1 --pretty=format:%ae)" + + git pull origin main --allow-unrelated-histories + git checkout -b docs_$SHORT_SHA GOBIN=/tmp/ go install github.com/google/go-licenses@v1.0.0 /tmp/go-licenses csv ./cmd/integrationcli > third-party-licenses.txt || echo "Ignore warnings" @@ -47,4 +53,4 @@ jobs: go run docs/docs.go git add --all git commit -m "Update GH Pages - $GITHUB_SHA" || echo "No Changes in docs" - git push origin HEAD:refs/heads/main + git push origin docs_$SHORT_SHA diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index 70330903..de6f86ba 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -13,6 +13,7 @@ # limitations under the License. name: golangci-lint +permissions: read-all on: push: branches: @@ -20,20 +21,19 @@ on: pull_request: branches: - '**' -permissions: - contents: read + jobs: golangci: name: lint runs-on: ubuntu-latest steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5 with: go-version: '1.20' cache: false - - uses: actions/checkout@v3 + - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 #v6.1.1 with: version: latest args: --timeout=4m diff --git a/.github/workflows/gorelease-action.yml b/.github/workflows/gorelease-action.yml index b51acfb2..424e864d 100644 --- a/.github/workflows/gorelease-action.yml +++ b/.github/workflows/gorelease-action.yml @@ -13,7 +13,7 @@ # limitations under the License. name: integrationcli-release - +permissions: read-all on: push: # Publish semver tags as releases. @@ -29,8 +29,8 @@ jobs: goreleaser: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-go@v3 + - uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4 + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5 with: go-version-file: './go.mod' check-latest: true @@ -43,10 +43,10 @@ jobs: - name: Write private key to disk run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > /tmp/cosign.key - - uses: sigstore/cosign-installer@main + - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0 - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 #v6 with: distribution: goreleaser version: latest @@ -56,7 +56,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.TOKEN }} - name: Upload assets - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 with: name: integrationcli path: dist/* diff --git a/Dockerfile b/Dockerfile index 6d66c293..e42f5d86 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.21 as builder +FROM golang:1.23.2@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32 AS builder ARG TAG ARG COMMIT @@ -29,7 +29,7 @@ RUN go mod download RUN date +%FT%H:%I:%M+%Z > /tmp/date RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/integrationcli /go/src/integrationcli/cmd/integrationcli/integrationcli.go -FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest as jq +FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest@sha256:d3a1c8a88f9223eab96bda760efab08290d274249581d2db6db010cbe20c232b AS jq # use debug because it includes busybox FROM gcr.io/distroless/static-debian11:debug-nonroot diff --git a/Dockerfile.cosign b/Dockerfile.cosign index 5aa310f7..675cba77 100644 --- a/Dockerfile.cosign +++ b/Dockerfile.cosign @@ -14,8 +14,8 @@ #Usage: https://github.com/sigstore/cosign#dockerfile -FROM gcr.io/projectsigstore/cosign:latest as cosign +FROM gcr.io/projectsigstore/cosign:latest@sha256:b03690aa52bfe94054187142fba24dc54137650682810633901767d8a3e15b31 AS cosign -FROM gcr.io/distroless/static-debian11:debug -COPY --from=cosign /ko-app/cosign /usr/bin \ No newline at end of file +FROM gcr.io/distroless/static-debian11:debug-nonroot@sha256:55716e80a7d4320ce9bc2dc8636fc193b418638041b817cf3306696bd0f975d1 +COPY --from=cosign /ko-app/cosign /usr/bin diff --git a/Dockerfile.deploy b/Dockerfile.deploy index 4bf9947a..9656cac4 100644 --- a/Dockerfile.deploy +++ b/Dockerfile.deploy @@ -11,8 +11,7 @@ # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. - -FROM golang:1.21 as builder +FROM golang:1.23.2@sha256:a7f2fc9834049c1f5df787690026a53738e55fc097cd8a4a93faa3e06c67ee32 AS builder ARG TAG ARG COMMIT @@ -29,7 +28,7 @@ RUN go mod download RUN date +%FT%H:%I:%M+%Z > /tmp/date RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -buildvcs=true -a -gcflags='all="-l"' -ldflags='-s -w -extldflags "-static" -X main.version='${TAG}' -X main.commit='${COMMIT}' -X main.date='$(cat /tmp/date) -o /go/bin/integrationcli /go/src/integrationcli/cmd/integrationcli/integrationcli.go -FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest as jq +FROM us-docker.pkg.dev/appintegration-toolkit/internal/jq:latest@sha256:d3a1c8a88f9223eab96bda760efab08290d274249581d2db6db010cbe20c232b AS jq FROM alpine:latest LABEL org.opencontainers.image.url='https://github.com/GoogleCloudPlatform/application-integration-management-toolkit' \ diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..4648e5e3 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,4 @@ +To report a security issue, please use [https://g.co/vulnz](https://g.co/vulnz). +We use g.co/vulnz for our intake, and do coordination and disclosure here on +GitHub (including using GitHub Security Advisory). The Google Security Team will +respond within 5 working days of your report on g.co/vulnz.