Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

*: new workflow org-codeql #490

Closed
wants to merge 7 commits into from
Closed

*: new workflow org-codeql #490

wants to merge 7 commits into from

Conversation

thypon
Copy link
Member

@thypon thypon commented Jan 18, 2024

No description provided.

@thypon thypon force-pushed the features/refactor-codeql-out branch 21 times, most recently from 211fdce to edcf87f Compare January 19, 2024 00:23
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@thypon thypon force-pushed the features/refactor-codeql-out branch 2 times, most recently from 1d7be7e to d52e2e7 Compare January 19, 2024 00:38
@thypon thypon force-pushed the features/refactor-codeql-out branch from d52e2e7 to 2d01480 Compare January 19, 2024 00:44
@github-actions GitHub Actions
Copy link

[puLL-Merge] - brave/security-action@490

Description

This pull request introduces several changes and additions to the GitHub Actions workflows, as well as creating new files for handling configurations and properties. It seems to cater to code quality and security automation tasks.

Changes

Changes

Updated Workflow Files:

  • .github/workflows/add-maintainer-custom-property.yml
  • .github/workflows/dependabot-auto-dismiss.yml
  • .github/workflows/dependabot-nudge.yml
  • .github/workflows/mirror.yml
  • .github/workflows/older-than-2y.yml

Renamed Workflow Files:

  • .github/workflows/full-loop.yml -> .github/workflows/full-loop-reviewdog-test.yml
  • .github/workflows/loop.yml -> .github/workflows/loop-reviewdog-test.yml

New Files:

  • .github/workflows/org-codeql.yml: Introduces a new workflow presumably to run CodeQL analysis.
  • action.yml: Main action configuration file, the name has been updated to 'Security Action (legacy)', and a few parameters have changed.
  • actions/codeql/action.yml: New action configuration for running CodeQL analysis.
  • actions/reviewdog/action.yml: New action configuration for integrating reviewdog with GitHub actions.
  • src/getConfig.js: New JavaScript module responsible for fetching custom configuration from a repository file.
  • src/getProperties.js: New JavaScript module for fetching custom properties values from a repository.

Security Hotspots

  • Secret Leakage Risk: Make sure the secrets used across action workflows are stored securely and have appropriate access control. For example, CUSTOM_PROPERTY_MANAGER_GITHUB_TOKEN and HOTSPOTS_SLACK_TOKEN should be checked for proper scopes and access limitations.
  • Code Injection Risk in Action Steps: The inclusion of ${{ github.workspace }} in scripts could lead to command injection if workspace names are not properly sanitized or come from untrusted sources.
  • ReviewDog Token Exposure: The REVIEWDOG_GITHUB_API_TOKEN is used in workflows to post comments, ensure this token has limited scope and is stored securely.
  • CodeQL Configurations: The codeql-config.yml path and the codeql_enabled flag might affect the security checks. Analysis should ensure these configurations are in place and correct.

Please make sure to test all changes thoroughly, especially since some of the scripts involve dynamic JavaScript import statements and access properties that may have implications on repository access control and workflow triggers.

github-actions[bot]
github-actions bot reviewed Jan 19, 2024
View reviewed changes
action.yml
pip_audit_pypi_index_url: ${{ inputs.pip_audit_pypi_index_url }}
pip_audit_pypi_insecure_hosts: ${{ inputs.pip_audit_pypi_insecure_hosts }}
gh_to_slack_user_map: ${{ inputs.gh_to_slack_user_map }}
- uses: ${{ github.action_path }}/actions/codeql
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml


Cc @thypon @bcaller

github-actions[bot]
github-actions bot reviewed Jan 19, 2024
View reviewed changes
action.yml Outdated
labels: needs-security-review
- uses: actions-ecosystem/action-add-assignees@a5b84af721c4a621eb9c7a4a95ec20a90d0b88e9 # v1.0.1
if: ${{ steps.reviewdog-enabled-pr.outputs.result == 'true' && steps.should-trigger.outputs.result == 'true' }}
- uses: ${{ github.action_path }}/actions/reviewdog
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml


Cc @thypon @bcaller

github-actions[bot]
github-actions bot reviewed Jan 19, 2024
View reviewed changes
action.yml Outdated
pip_audit_pypi_index_url: ${{ inputs.pip_audit_pypi_index_url }}
pip_audit_pypi_insecure_hosts: ${{ inputs.pip_audit_pypi_insecure_hosts }}
gh_to_slack_user_map: ${{ inputs.gh_to_slack_user_map }}
- uses: ${{ github.action_path }}/actions/unverified-commits
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml


Cc @thypon @bcaller

@thypon thypon requested a review from a team as a code owner May 13, 2024 15:50
@thypon thypon closed this Jun 7, 2024
@thypon thypon deleted the features/refactor-codeql-out branch June 7, 2024 23:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

@thypon thypon

@bcaller bcaller

Labels
needs-security-review puLL-Merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thypon @bcaller