Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update step-security/harden-runner configuration #1271

Merged
merged 3 commits into from
Aug 5, 2024
Merged

Update step-security/harden-runner configuration #1271

merged 3 commits into from
Aug 5, 2024

Conversation

Stephan202
Copy link
Member

@Stephan202 Stephan202 commented Aug 5, 2024
edited
Loading

Suggested commit message:

Update `step-security/harden-runner` configuration (#1271)

While apparently the build doesn't fail without this, it is reasonable
for SonarCloud analysis to access the two additional domains.

While there, introduce subdomain wildcards for `sigstore.dev` and
`sonarcloud.io`.

Example runs that attempted to access these domains:

@Stephan202 Stephan202 added the chore A task not related to code (build, formatting, process, ...) label Aug 5, 2024
@Stephan202 Stephan202 added this to the 0.18.0 milestone Aug 5, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@Stephan202 Stephan202 mentioned this pull request Aug 5, 2024
Merged
@Stephan202
Copy link
Member Author

I'll add a commit to add some wildcards, based on the feedback in #1246 (comment).

@Stephan202 Stephan202 force-pushed the sschroevers/update-security-harden-config branch from af1579a to 87f6de4 Compare August 5, 2024 06:38
@Stephan202
Copy link
Member Author

Rebased and added two commits: one that introduces wildcards in all "relevant" places, and a second that reverts half of the changes. For some domains one could argue that using a wildcard is too liberal. I think that the current proposal strikes a nice balance between security and maintainability.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

rickie
rickie reviewed Aug 5, 2024
View reviewed changes
.github/workflows/sonarcloud.yml
ea6ne4j2sb.execute-api.eu-central-1.amazonaws.com:443
github.com:443
objects.githubusercontent.com:443
repo.maven.apache.org:443
sc-cleancode-sensorcache-eu-central-1-prod.s3.amazonaws.com:443
scanner.sonarcloud.io:443
*.sonarcloud.io:443
Copy link
Member

@rickie rickie Aug 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

*sonarcloud.io:443 would also work if we want to🤔

I didn't saw the update in the other PR, sorry.

@Stephan202 @rickie
Update step-security/harden-runner configuration
7215d4f 
While apparently the build doesn't fail without this, it is reasonable
for SonarCloud analysis to access the two additional domains.
@Stephan202 @rickie
Use wildcards
0774a98
@Stephan202 @rickie
Undo arguably overly-wide changes
92e3cde
@rickie rickie force-pushed the sschroevers/update-security-harden-config branch from 87f6de4 to 92e3cde Compare August 5, 2024 07:16
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 5, 2024

Looks good. No mutations were possible for these changes.
Mutation testing report by Pitest. Review any surviving mutants by inspecting the line comments under Files changed.

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Aug 5, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@rickie rickie merged commit 1005d93 into master Aug 5, 2024
15 checks passed
@rickie rickie deleted the sschroevers/update-security-harden-config branch August 5, 2024 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rickie rickie rickie approved these changes

@mohamedsamehsalah mohamedsamehsalah mohamedsamehsalah approved these changes

Assignees
No one assigned
Labels
chore A task not related to code (build, formatting, process, ...)
Milestone
0.18.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Stephan202 @rickie @mohamedsamehsalah