Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply some security hardening, as recommended by OSSF scorecard #595

Merged
merged 1 commit into from
Dec 6, 2024
Merged

Apply some security hardening, as recommended by OSSF scorecard #595

merged 1 commit into from
Dec 6, 2024

Conversation

NWilson
Copy link
Member

@NWilson NWilson commented Dec 4, 2024

  • Use hashes to pin versions of third-party Actions used in CI
  • Use GitHub's dependabot to do a monthly update of the Actions
  • Restrict all Workflows to use a read-only token (except for the steps which need to upload a SARIF file)

@zherczeg
Copy link
Collaborator

zherczeg commented Dec 6, 2024

Will this make our life easier or more difficult? Is this needed for CI security, or what is the actual gain here?

@NWilson
Copy link
Member Author

NWilson commented Dec 6, 2024

It's needed for CI security. As it stands, we depend on some third party github actions, and if someone pushed malicious code to those repos, they would be able to perform pretty much arbitrary actions on our PCRE2 repo, the next time CI runs.

It should be much more locked down.

@NWilson
Copy link
Member Author

NWilson commented Dec 6, 2024

These changes won't make our life more difficult (nor any easier).

@zherczeg
Copy link
Collaborator

zherczeg commented Dec 6, 2024

This is disturbing. Can a CI write the repository in any way? Where can I disable that?

@NWilson
Copy link
Member Author

NWilson commented Dec 6, 2024

Yes, sadly. The GitHub Actions have a very permissive token by default - a CI job can happily check out the code, make some changes, and push them to the master branch (and even rewrite history on master). The token that's used by the git checkout job can happily push code too.

And worse, it can even perform other actions on the GitHub organisation using the HTTP API (or GitHub CLI).

Adding permissions: contents: read locks down the runner to only have read access to the "contents" (code and issues) of the repo.

@zherczeg
Copy link
Collaborator

zherczeg commented Dec 6, 2024

Thank you for the explanation.

I found this in Settings/Actions/General

Workflow permissions

Choose the default permissions granted to the GITHUB_TOKEN when running workflows in this repository. You can specify more granular permissions in the workflow using YAML. Learn more about managing permissions.

Read and write permissions
Workflows have read and write permissions in the repository for all scopes.

Read repository contents and packages permissions
Workflows have read permissions in the repository for the contents and packages scopes only.

@PhilipHazel may I change this to read-only? Honestly, I am shocked that writing is the default.

@PhilipHazel
Copy link
Collaborator

Yes, yes, do go ahead. I too am a bit shocked.

@zherczeg
Copy link
Collaborator

zherczeg commented Dec 6, 2024

Config updated. Back to the patch, I am neutral, we can land it. Security is not my strength.

@NWilson NWilson merged commit 52182ef into PCRE2Project:master Dec 6, 2024
21 checks passed
@NWilson NWilson deleted the user/niwilson/hardening branch December 6, 2024 15:35
@NWilson
Copy link
Member Author

NWilson commented Dec 6, 2024

I've broken the Scorecard scanning - because it's designed to run on master but not on PRs! So it wasn't really possible to discover problems before merging. Hmm.

I'll sort it out, don't worry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@NWilson @zherczeg @PhilipHazel