Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(GHA): Add SHA pinning #11364

Merged
merged 1 commit into from
Dec 11, 2024
Merged

feat(GHA): Add SHA pinning #11364

merged 1 commit into from
Dec 11, 2024

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Dec 3, 2024

Copy link

dryrunsecurity bot commented Dec 3, 2024

DryRun Security Summary

The code changes focus on improving the security, reliability, and consistency of DefectDojo's GitHub Actions workflows by updating action versions, implementing secure configurations, and enhancing testing and release management processes.

Expand for full summary

Summary:

The provided code changes cover a variety of GitHub Actions workflows for the DefectDojo application. The changes focus on improving the reliability, consistency, and security of the application's build, test, and release processes. Key security-related observations include:

  1. Dependency Management: The workflows consistently use specific versions of GitHub Actions, pinning them to known-good commit hashes. This helps ensure stability and reduce the risk of introducing vulnerabilities through unexpected dependency changes.

  2. Secure Configurations: The workflows implement several security-conscious practices, such as setting up Kubernetes clusters, managing Docker images, and updating version numbers in a secure and automated manner.

  3. Artifact Integrity: The workflows handle the download and use of build artifacts, such as Docker images and Helm charts, with care to ensure the integrity and security of these artifacts.

  4. Linting and Testing: The workflows include steps to lint shell scripts, run integration tests, and validate the Helm chart, which helps identify and address potential security issues in the codebase.

  5. Release Management: The release-related workflows demonstrate a well-designed and secure process for creating new releases, including updating version numbers, building and pushing Docker images, and managing the Helm chart release.

Overall, the provided code changes appear to be focused on improving the security and reliability of the DefectDojo application's development and deployment processes. The use of specific dependency versions, secure configurations, and comprehensive testing and linting are all positive security practices that should help maintain the application's security posture.

Files Changed:

The code changes span several GitHub Actions workflow files, including:

  • .github/workflows/cancel-outdated-workflow-runs.yml: Updates the version of the styfle/cancel-workflow-action GitHub Action.
  • .github/workflows/fetch-oas.yml: Uses specific versions of the actions/checkout and actions/upload-artifact actions to fetch the OpenAPI Specifications.
  • .github/workflows/gh-pages.yml: Updates the versions of various GitHub Actions used to build and deploy the project's documentation website.
  • .github/workflows/build-docker-images-for-testing.yml: Updates the versions of the actions/checkout, docker/setup-buildx-action, docker/build-push-action, and actions/upload-artifact actions.
  • .github/workflows/detect-merge-conflicts.yaml: Updates the version of the eps1lon/actions-label-merge-conflict action.
  • .github/workflows/integration-tests.yml: Updates the versions of the actions/checkout and actions/download-artifact actions.
  • .github/workflows/plantuml.yml: Updates the versions of the actions/checkout and stefanzweifel/git-auto-commit-action actions.
  • .github/workflows/k8s-tests.yml: Updates the versions of the actions/checkout, manusa/actions-setup-minikube, and actions/download-artifact actions.
  • .github/workflows/pr-labeler.yml: Updates the version of the actions/labeler action.
  • .github/workflows/release-1-create-pr.yml: Handles the creation of release branches and pull requests.
  • .github/workflows/release-2-tag-docker-push.yml: Automates the release process, including tagging, Helm chart release, and Docker container release.
  • .github/workflows/release-3-master-into-dev.yml: Merges the master branch into the dev and bugfix branches after a release.
  • .github/workflows/release-drafter.yml: Updates the versions of the release-drafter/release-drafter, actions/download-artifact, and actions/upload-release-asset actions.
  • .github/workflows/release-x-manual-docker-containers.yml: Builds and pushes Docker images for the DefectDojo application.
  • .github/workflows/release-x-manual-helm-chart.yml: Releases the DefectDojo Helm chart.
  • .github/workflows/ruff.yml: Updates the actions/checkout action version.
  • .github/workflows/rest-framework-tests.yml: Updates the versions of the actions/checkout and actions/download-artifact actions.
  • .github/workflows/shellcheck.yml: Runs the ShellCheck linter on shell scripts.
  • .github/workflows/test-helm-chart.yml: Lints the Def

Code Analysis

We ran 9 analyzers against 20 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@kiblik kiblik closed this Dec 3, 2024
@kiblik kiblik reopened this Dec 3, 2024
@mtesauro
Copy link
Contributor

mtesauro commented Dec 4, 2024

This makes total sense to me 👍

Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

Copy link
Contributor

github-actions bot commented Dec 9, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik requested a review from Maffooch December 9, 2024 16:05
@github-actions github-actions bot added settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm labels Dec 9, 2024
@github-actions github-actions bot removed settings_changes Needs changes to settings.py based on changes in settings.dist.py included in this PR apiv2 docs unittests ui parser helm conflicts-detected labels Dec 9, 2024
Copy link
Contributor

github-actions bot commented Dec 9, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

Copy link
Contributor

@cneill cneill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From Renovate's documentation, it's not clear to me if it will automatically bump e.g. v4.4.3 to v4.4.4 or if it stays pinned to that specific tag forever, only updating if the SHA corresponding to that tag changes. If it's the latter, it might make sense to pin to e.g. # v4 instead of # v4.4.3.

Since this is definitely an improvement either way, I'm okay to approve and we can keep an eye on it to see how it behaves.

@Maffooch Maffooch merged commit 890b6cb into DefectDojo:dev Dec 11, 2024
73 checks passed
@kiblik kiblik deleted the gha_pin branch December 11, 2024 20:23
@kiblik
Copy link
Contributor Author

kiblik commented Dec 11, 2024

@cneill, it looks like versions are not locked #11410
So we are good :)

@cneill
Copy link
Contributor

cneill commented Dec 11, 2024

@cneill, it looks like versions are not locked #11410 So we are good :)

Excellent!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants