diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f95c41da81..6ba56b7bd1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,6 +10,9 @@ on: - v[0-9]+.x pull_request: +permissions: + contents: read + # The CI runs on ubuntu-24.04; More info about the installed software is found here: # https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md @@ -34,10 +37,10 @@ jobs: name: "Unit Test | Node.js Scanner Test Helpers" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 - name: Install dependencies working-directory: tests/integration @@ -50,7 +53,7 @@ jobs: name: "Setup Kind & Kubectl & Helm & Task" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install Kind run: | @@ -75,25 +78,25 @@ jobs: chmod +x ./task - name: Archive Kind - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: kind path: ./kind - name: Archive Kubectl - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: kubectl path: ./kubectl - name: Archive Helm - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: helm path: ./linux-amd64/helm - name: Archive Task - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: task path: ./task @@ -108,9 +111,9 @@ jobs: needs: - k8s-setup steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Download Helm - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: helm path: ./helm @@ -128,7 +131,7 @@ jobs: helm plugin install https://github.com/helm-unittest/helm-unittest.git --version ${{ env.HELM_PLUGIN_UNITTEST_VERSION }} - name: Download Task - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: task path: ./task @@ -147,24 +150,24 @@ jobs: matrix: unit: ["persistence-defectdojo"] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Set up JDK 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4 with: distribution: "temurin" # required Java distribution java-version: "17" # The JDK version to make available on the path. java-package: jdk # (jre, jdk, or jdk+fx) - defaults to jdk architecture: x64 # (x64 or x86) - defaults to x64 - name: Cache SonarCloud packages - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar restore-keys: ${{ runner.os }}-sonar - name: Cache Gradle packages - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4 with: path: ~/.gradle/caches key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} @@ -188,10 +191,10 @@ jobs: component: ["operator", "lurker"] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Go Setup - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: 'operator/go.mod' @@ -214,7 +217,7 @@ jobs: run: make docker-export-${{ matrix.component }} - name: Upload Image As Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ matrix.component }}-image path: ./operator/${{ matrix.component }}.tar @@ -227,10 +230,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Go Setup - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: 'auto-discovery/kubernetes/go.mod' @@ -253,7 +256,7 @@ jobs: run: make docker-export - name: Upload Image As Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: auto-discovery-image path: ./auto-discovery/kubernetes/auto-discovery-kubernetes.tar @@ -267,27 +270,27 @@ jobs: - k8s-setup steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Setup Python Version - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "${{ env.PYTHON_VERSION }}" - name: Download Kind - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kind path: ./kind - name: Download Kubectl - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kubectl path: ./kubectl - name: Download Helm - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: helm path: ./helm @@ -317,7 +320,7 @@ jobs: run: make docker-export - name: Upload Image As Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: auto-discovery-pull-secret-extractor path: ./auto-discovery/kubernetes/pull-secret-extractor/auto-discovery-secret-extractor.tar @@ -344,10 +347,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Go Setup - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: 'auto-discovery/cloud-aws/go.mod' @@ -370,7 +373,7 @@ jobs: run: make docker-export - name: Upload Image As Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: auto-discovery-cloud-aws-image path: ./auto-discovery/cloud-aws/auto-discovery-cloud-aws.tar @@ -388,7 +391,7 @@ jobs: - hook-sdk steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Build Image working-directory: ./${{ matrix.sdk }}/nodejs @@ -399,7 +402,7 @@ jobs: run: make docker-export-sdk - name: Upload Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ matrix.sdk }}-image path: ./${{ matrix.sdk }}/nodejs/${{ matrix.sdk }}.tar @@ -438,13 +441,13 @@ jobs: - zap-automation-framework steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 - name: Download Task - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: task path: ./task @@ -454,19 +457,19 @@ jobs: chmod +x ./task/task && sudo mv ./task/task /usr/local/bin/task - name: Download Kind - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kind path: ./kind - name: Download Kubectl - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kubectl path: ./kubectl - name: Download Helm - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: helm path: ./helm @@ -488,7 +491,7 @@ jobs: run: task test:unit - name: Download Parser SDK Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: parser-sdk-image path: /tmp @@ -499,7 +502,7 @@ jobs: docker images | grep sdk - name: Download Operator Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: operator-image path: ./operator @@ -510,7 +513,7 @@ jobs: docker images | grep operator - name: Download Lurker Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: lurker-image path: ./operator @@ -591,13 +594,13 @@ jobs: # - persistence-static-report (WIP) steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Install bun - uses: oven-sh/setup-bun@v2 + uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 - name: Download Task - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: task path: ./task @@ -607,19 +610,19 @@ jobs: chmod +x ./task/task && sudo mv ./task/task /usr/local/bin/task - name: Download Kind - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kind path: ./kind - name: Download Kubectl - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: kubectl path: ./kubectl - name: Download Helm - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: helm path: ./helm @@ -641,7 +644,7 @@ jobs: run: task test:unit - name: Download Parser SDK Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: hook-sdk-image path: /tmp @@ -652,7 +655,7 @@ jobs: docker images | grep sdk - name: Download Operator Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: operator-image path: ./operator @@ -663,7 +666,7 @@ jobs: docker images | grep operator - name: Download Lurker Image - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: lurker-image path: ./operator @@ -725,10 +728,10 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5 with: go-version-file: 'scbctl/go.mod' diff --git a/.github/workflows/documentation-roulette.yaml b/.github/workflows/documentation-roulette.yaml index a90057b716..8b86bf32d9 100644 --- a/.github/workflows/documentation-roulette.yaml +++ b/.github/workflows/documentation-roulette.yaml @@ -9,6 +9,10 @@ on: schedule: - cron: "0 12 15 * *" # At 12:00 UTC on day-of-month 15 +permissions: + contents: read + issues: write + jobs: docu-roulette: permissions: @@ -17,7 +21,7 @@ jobs: if: github.repository == 'secureCodeBox/secureCodeBox' steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 # Request team members with the GitHub API using their gh cli - name: Fetch core-team members @@ -38,7 +42,7 @@ jobs: echo "MEMBER=${MEMBERS[$index]}" >> $GITHUB_ENV # Create issue and insert chosen member ({{ env.MEMBER}} in template) - - uses: JasonEtco/create-an-issue@v2 + - uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/helm-charts-release-ghcr.yaml b/.github/workflows/helm-charts-release-ghcr.yaml index b6690c2ae6..3f04f97ddb 100644 --- a/.github/workflows/helm-charts-release-ghcr.yaml +++ b/.github/workflows/helm-charts-release-ghcr.yaml @@ -7,6 +7,11 @@ on: types: [published] name: "Publish Helm Charts to GHCR" + +permissions: + contents: read + packages: write + env: CONTAINER_REGISTRY: ghcr.io/securecodebox HELM_VERSION: "v3.12.2" @@ -14,11 +19,8 @@ jobs: GHCR-Helm-Release: name: "Publish Helm Charts to GHCR" runs-on: ubuntu-24.04 - permissions: - contents: read - packages: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Parse Release Version run: | diff --git a/.github/workflows/helm-charts-release.yaml b/.github/workflows/helm-charts-release.yaml index a82b6e254f..d3326b7d77 100644 --- a/.github/workflows/helm-charts-release.yaml +++ b/.github/workflows/helm-charts-release.yaml @@ -9,12 +9,16 @@ on: release: types: [published] name: "Publish Helm Charts" + +permissions: + contents: read + jobs: helm: name: Package and Publish runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: "Install yq" run: | sudo snap install yq diff --git a/.github/workflows/helm-docs.yaml b/.github/workflows/helm-docs.yaml index 40186ca986..e3992660ca 100644 --- a/.github/workflows/helm-docs.yaml +++ b/.github/workflows/helm-docs.yaml @@ -11,18 +11,22 @@ on: push: branches: - main + +permissions: + contents: write + jobs: helm-docs: runs-on: ubuntu-24.04 if: github.repository == 'secureCodeBox/secureCodeBox' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: ref: ${{ github.head_ref }} token: ${{ secrets.SCB_BOT_USER_TOKEN }} - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 with: gpg_private_key: ${{ secrets.GPG_COMMITS_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_COMMITS_PASSPHRASE }} diff --git a/.github/workflows/label-commenter.yml b/.github/workflows/label-commenter.yml index b683271843..2a0078398b 100644 --- a/.github/workflows/label-commenter.yml +++ b/.github/workflows/label-commenter.yml @@ -19,11 +19,8 @@ jobs: comment: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Label Commenter - uses: peaceiris/actions-label-commenter@v1.10.0 + uses: peaceiris/actions-label-commenter@f0dbbef043eb1b150b566db36b0bdc8b7f505579 # v1.10.0 with: github_token: ${{ secrets.SCB_BOT_USER_TOKEN }} - - - \ No newline at end of file diff --git a/.github/workflows/license-check.yaml b/.github/workflows/license-check.yaml index 01c899daec..0b2d995cb5 100644 --- a/.github/workflows/license-check.yaml +++ b/.github/workflows/license-check.yaml @@ -10,15 +10,18 @@ on: - v[0-9]+.x pull_request: +permissions: + contents: read + jobs: license-check: runs-on: ubuntu-24.04 if: github.repository == 'secureCodeBox/secureCodeBox' steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: REUSE Compliance Check - uses: fsfe/reuse-action@v5 + uses: fsfe/reuse-action@bb774aa972c2a89ff34781233d275075cbddf542 # v5 with: args: --include-submodules lint diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml index 1e3b3b7926..1d9c6b6e0c 100644 --- a/.github/workflows/mega-linter.yml +++ b/.github/workflows/mega-linter.yml @@ -16,6 +16,9 @@ on: pull_request: branches: [master, main] +permissions: + contents: read + env: # Comment env block if you do not want to apply fixes # Apply linter fixes configuration APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) @@ -33,7 +36,7 @@ jobs: steps: # Git Checkout - name: Checkout Code - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }} fetch-depth: 0 @@ -43,7 +46,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.github.io/flavors/ - uses: oxsecurity/megalinter@v8 + uses: oxsecurity/megalinter@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8 env: # All available variables are described in documentation # https://megalinter.github.io/configuration/ @@ -54,7 +57,7 @@ jobs: # Upload MegaLinter artifacts - name: Archive production artifacts if: ${{ success() }} || ${{ failure() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: MegaLinter reports path: | diff --git a/.github/workflows/move-bot-pr-to-review.yaml b/.github/workflows/move-bot-pr-to-review.yaml index 40790abcf5..688edcf0ff 100644 --- a/.github/workflows/move-bot-pr-to-review.yaml +++ b/.github/workflows/move-bot-pr-to-review.yaml @@ -9,13 +9,17 @@ on: branches: - main +permissions: + contents: read + pull-requests: write + jobs: move-bot-pr-to-review: runs-on: ubuntu-24.04 # only run if the branch starts with 'dependabot/' or 'dependencies/upgrading' if: startsWith(github.head_ref, 'dependabot/') || startsWith(github.head_ref, 'dependencies/upgrading') steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Add bot PR to project run: | diff --git a/.github/workflows/release-build.yaml b/.github/workflows/release-build.yaml index 8a364b8576..dfa6713e6b 100644 --- a/.github/workflows/release-build.yaml +++ b/.github/workflows/release-build.yaml @@ -10,6 +10,9 @@ on: release: types: [published] +permissions: + contents: read + env: # ---- Docker Namespace ---- @@ -28,11 +31,11 @@ jobs: component: ["operator", "lurker"] steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.component }} tags: | @@ -40,18 +43,18 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./${{ matrix.component }} file: ./${{ matrix.component }}/Dockerfile @@ -61,7 +64,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -75,11 +78,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-kubernetes tags: | @@ -87,18 +90,18 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./auto-discovery/kubernetes/ file: ./auto-discovery/kubernetes/Dockerfile @@ -108,7 +111,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -122,11 +125,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/auto-discovery-pull-secret-extractor tags: | @@ -134,18 +137,18 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./auto-discovery/kubernetes/pull-secret-extractor file: ./auto-discovery/kubernetes/pull-secret-extractor/Dockerfile @@ -155,7 +158,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -175,11 +178,11 @@ jobs: - hook-sdk steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/${{ matrix.sdk }}-nodejs tags: | @@ -187,18 +190,18 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./${{ matrix.sdk }}/nodejs file: ./${{ matrix.sdk }}/nodejs/Dockerfile @@ -228,11 +231,11 @@ jobs: - update-field-hook steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/hook-${{ matrix.hook }} tags: | @@ -240,12 +243,12 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -255,7 +258,7 @@ jobs: echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./hooks/${{ matrix.hook }}/hook file: ./hooks/${{ matrix.hook }}/hook/Dockerfile @@ -268,7 +271,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -282,11 +285,11 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/persistence-elastic-dashboard-importer tags: | @@ -294,16 +297,16 @@ jobs: type=semver,pattern={{version}} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./hooks/persistence-elastic/dashboard-importer/ file: ./hooks/persistence-elastic/dashboard-importer/Dockerfile @@ -344,11 +347,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/parser-${{ matrix.parser }} tags: | @@ -356,12 +359,12 @@ jobs: type=semver,pattern={{version}} - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -371,7 +374,7 @@ jobs: echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./scanners/${{ matrix.parser }}/parser file: ./scanners/${{ matrix.parser }}/parser/Dockerfile @@ -384,7 +387,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -419,10 +422,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Set ENV Var with Scanner Version - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 # Notice: The current version of the scanner is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: @@ -430,13 +433,13 @@ jobs: # extract the supported cpu architectures from the Chart.yaml - name: Set ENV Var with Supported Platforms - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 with: cmd: echo supportedPlatforms=$(yq e .annotations.supported-platforms scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }} tags: | @@ -444,16 +447,16 @@ jobs: ${{ env.scannerVersion }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./scanners/${{ matrix.scanner }}/scanner file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile @@ -465,7 +468,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -489,11 +492,11 @@ jobs: - test-scan steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/scanner-${{ matrix.scanner }} tags: | @@ -501,10 +504,10 @@ jobs: type=semver,pattern={{version}} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -514,7 +517,7 @@ jobs: echo "baseImageTag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_ENV - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./scanners/${{ matrix.scanner }}/scanner file: ./scanners/${{ matrix.scanner }}/scanner/Dockerfile @@ -526,7 +529,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} @@ -549,10 +552,10 @@ jobs: - old-wordpress steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Set ENV Var with Demo-Target Version - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 # Notice: The current version of the demo-target is provided via the Chart.yaml to ensure # there is only one place to edit the version of a scanner with: @@ -560,7 +563,7 @@ jobs: - name: Docker Meta id: docker_meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5 with: images: ${{ env.DOCKER_NAMESPACE }}/demo-target-${{ matrix.target }} tags: | @@ -569,16 +572,16 @@ jobs: ${{ env.targetVersion }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Login to DockerHub - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} - name: Build and Push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 with: context: ./demo-targets/${{ matrix.target }}/container file: ./demo-targets/${{ matrix.target }}/container/Dockerfile @@ -588,7 +591,7 @@ jobs: labels: ${{ steps.docker_meta.outputs.labels }} - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v4 + uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_TOKEN }} diff --git a/.github/workflows/scb-bot.yaml b/.github/workflows/scb-bot.yaml index b744714f04..36f5f6e2ad 100644 --- a/.github/workflows/scb-bot.yaml +++ b/.github/workflows/scb-bot.yaml @@ -18,6 +18,11 @@ name: Check outdated scanners on: schedule: - cron: "15 9 * * *" # Daily at 9:15 (avoids the beginning of the hour congestion) + +permissions: + contents: write + pull-requests: write + jobs: version-compare: runs-on: ubuntu-24.04 @@ -43,10 +48,10 @@ jobs: - zap-automation-framework # missing scanners are : nmap, nikto steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@v6 + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6 with: gpg_private_key: ${{ secrets.GPG_COMMITS_PRIVATE_KEY }} passphrase: ${{ secrets.GPG_COMMITS_PASSPHRASE }} @@ -56,14 +61,14 @@ jobs: # Fetching scanner version from local chart .appVersion attribute # this would look like 1.1.1 or v1.1.1 depending on the corresponding Docker image tag - name: Fetch local scanner version - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 with: cmd: echo local=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV # Fetching scanner version API from local chart .annotations.versionApi attribute # This would look like https://api.github.com/repos/projectdiscovery/nuclei/releases/latest - name: Fetch scanner's version API - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 with: cmd: echo versionApi=$(yq e .annotations.versionApi scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV @@ -138,7 +143,7 @@ jobs: - name: Upgrade Scanner Helm Chart if: ${{ env.release != env.local && env.prExists == 0 && env.release != null}} - uses: mikefarah/yq@v4.47.1 + uses: mikefarah/yq@f03c9dc599c37bfcaf533427211d05e51e6fee64 # v4.47.1 with: # appVersion value in chart is replaced with release value. Empty lines are deleted in the process cmd: yq e --inplace '.appVersion = "${{env.release}}"' ./scanners/${{ matrix.scanner }}/Chart.yaml @@ -184,7 +189,7 @@ jobs: - name: Create Pull Request if: ${{ env.release != env.local && env.prExists == 0 && env.release != null }} - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7 with: token: ${{ secrets.SCB_BOT_USER_TOKEN }} committer: secureCodeBoxBot