Update Orca Secrets action workflows

orcasecurity · May 2, 2024 · 7df618a · 7df618a
1 parent 1182fc7
commit 7df618a
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 18 deletions.
diff --git a/.github/workflows/test-secrets-action-sarif.yaml b/.github/workflows/test-secrets-action-sarif.yaml
@@ -2,30 +2,33 @@ name: Test Orca Secrets action - Sarif
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   secrets_scan_job:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Scan Secrets
         id: orcasecurity_secrets_scan
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          format:
-            "sarif"
-          output:
-            "results/"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          format: "sarif"
+          output: "results/"
           console_output: "table"
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # ratchet:github/codeql-action/upload-sarif@v2
         if: ${{ always() && steps.orcasecurity_secrets_scan.outputs.exit_code != 1 }}
         with:
-          sarif_file: results/secrets.sarif
+          sarif_file: results/secrets.sarif
+
+
+
diff --git a/.github/workflows/test-secrets-action.yaml b/.github/workflows/test-secrets-action.yaml
@@ -2,21 +2,23 @@ name: Test Orca Secrets action
 
 on: [push, pull_request, workflow_dispatch]
 
+permissions:
+  contents: read
+
 jobs:
   secrets_scan_job:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # ratchet:actions/checkout@v3
         with:
           fetch-depth: 0
-  
+
       - name: Scan Secrets
         id: orcasecurity
         uses: ./
         with:
-          api_token:
-            ${{ secrets.ORCA_SECURITY_API_TOKEN }}
-          project_key:
-            "default"
-          console_output: "table"
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: "default"
+          console_output: "table"
+
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,20 @@
+
+## Reporting a Vulnerability
+
+At Orca, we take security seriously and appreciate your help in disclosing any vulnerabilities responsibly and privately.
+
+To report a security issue, please email us at address `[email protected]`
+
+---
+**Important:**
+
+   1. Please **do not** create a Github issue for security vulnerabilities.
+   2. Please **do not** disclose the vulnerability publicly until we have addressed it and provided guidance on the disclosure.
+   3. Please include the following details in your report:
+         - Description of the vulnerability
+         - Steps to reproduce the vulnerability
+         - Any additional information or context that might be helpful
+
+---
+
+> Submission of reports by any means is subject to Orca's [Vulnerability Disclosure Policy](https://trustcenter.orca.security/?itemUid=ff1626be-71c0-4468-b93c-82fe08aac01f&source=documents_card). Please make sure to read and accept before submitting your report.