From 686562f1914c56dfc18744ba58e10e93a74e6445 Mon Sep 17 00:00:00 2001
From: Sagi Cohen <sagi.cohen@orca.security>
Date: Thu, 2 May 2024 11:58:37 +0300
Subject: [PATCH] Update test-container-action-sarif.yaml and
 test-container-action.yaml workflows

---
 .../test-container-action-sarif.yaml          | 30 +++++++++++--------
 .github/workflows/test-container-action.yaml  | 27 +++++++++--------
 SECURITY.md                                   | 20 +++++++++++++
 3 files changed, 52 insertions(+), 25 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/test-container-action-sarif.yaml b/.github/workflows/test-container-action-sarif.yaml
index e29d369..32811c7 100644
--- a/.github/workflows/test-container-action-sarif.yaml
+++ b/.github/workflows/test-container-action-sarif.yaml
@@ -3,35 +3,39 @@ name: Test sarif
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   container_scan_job:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Scan Container Image
         id: orcasecurity_container_image_scan
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          image:
-            "alpine:3"
-          format:
-            "json,sarif"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          image: "alpine:3"
+          format: "json,sarif"
+          output: "results/"
           console_output: "table"
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # ratchet:actions/upload-artifact@v3
         if: always()
         with:
           name: orca-results
           path: results/
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # ratchet:github/codeql-action/upload-sarif@v2
         if: ${{ always() && steps.orcasecurity_container_image_scan.outputs.exit_code != 1 }}
         with:
           sarif_file: results/image.sarif
+
+
+
+
+
diff --git a/.github/workflows/test-container-action.yaml b/.github/workflows/test-container-action.yaml
index 4dbd84d..74c55c7 100644
--- a/.github/workflows/test-container-action.yaml
+++ b/.github/workflows/test-container-action.yaml
@@ -3,27 +3,30 @@ name: Test Orca Container Image action
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   container_scan_job:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
       - name: Scan Container Image
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          image:
-            "alpine:3"
-          format:
-            "json"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          image: "alpine:3"
+          format: "json"
+          output: "results/"
           console_output: "table"
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # ratchet:actions/upload-artifact@v3
         if: always()
         with:
           name: orca-results
           path: results/
+
+
+
+
+
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..6e0e2b2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+
+## Reporting a Vulnerability
+
+At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately.
+
+To report a security issue, please email us at address `disclosure@orca.security`
+
+---
+**Important:**
+
+   1. Please **do not** create a Github issue for security vulnerabilities.
+   2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure.
+   3. Please include the following details in your report:
+         - Description of the vulnerability
+         - Steps to reproduce the vulnerability
+         - Any additional information or context that might be helpful
+
+---
+
+> Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.