From 5c62c60dfb25e6910113b666b671d44678143f26 Mon Sep 17 00:00:00 2001 From: David Elliott Date: Mon, 28 Nov 2022 16:16:38 +0000 Subject: [PATCH] Github actions security improvements --- .github/workflows/format-code.yml | 9 +++- .../workflows/terraform-static-analysis.yml | 45 +++++-------------- 2 files changed, 18 insertions(+), 36 deletions(-) diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index 79021f75..1eeff745 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -1,14 +1,19 @@ +name: "Format Code: ensure code formatting guidelines are met" on: pull_request: types: [opened, edited, reopened, synchronize] +permissions: {} + jobs: format-code: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - - uses: ministryofjustice/github-actions/code-formatter@d75b4f388fca7537704ddd69c431258518e774e4 # v7 + - uses: ministryofjustice/github-actions/code-formatter@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8 with: - ignore-files: "README.md" + ignore-files: "README.md" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml index 86254a8f..b699f399 100644 --- a/.github/workflows/terraform-static-analysis.yml +++ b/.github/workflows/terraform-static-analysis.yml @@ -1,9 +1,6 @@ name: Terraform Static Code Analysis on: - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 7 * * 1-5' workflow_dispatch: pull_request: branches: @@ -12,18 +9,23 @@ on: - '**.tf' - '.github/workflows/terraform-static-analysis.yml' +permissions: + contents: read + jobs: terraform-static-analysis: + permissions: + pull-requests: write name: Terraform Static Analysis runs-on: ubuntu-latest - if: github.event_name != 'workflow_dispatch' && github.event_name != 'schedule' + if: github.event_name != 'workflow_dispatch' steps: - name: Checkout uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: fetch-depth: 0 - name: Run Analysis - uses: ministryofjustice/github-actions/terraform-static-analysis@main + uses: ministryofjustice/github-actions/terraform-static-analysis@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -32,6 +34,8 @@ jobs: checkov_exclude: CKV_GIT_1 terraform-static-analysis-full-scan: + permissions: + pull-requests: write name: Terraform Static Analysis - scan all directories runs-on: ubuntu-latest if: github.event_name == 'workflow_dispatch' @@ -41,37 +45,10 @@ jobs: with: fetch-depth: 0 - name: Run Analysis - uses: ministryofjustice/github-actions/terraform-static-analysis@main - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - scan_type: full - tfsec_exclude: AWS089, AWS099, AWS009 - checkov_exclude: CKV_GIT_1, CKV_AWS_23, CKV_AWS_261, CKV_AWS_150 - - terraform-static-analysis-scheduled-scan: - name: Terraform Static Analysis - scheduled scan of all directories - runs-on: ubuntu-latest - if: github.event_name == 'schedule' - steps: - - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - with: - fetch-depth: 0 - - name: Run Analysis - uses: ministryofjustice/github-actions/terraform-static-analysis@main + uses: ministryofjustice/github-actions/terraform-static-analysis@bffeddf62d99a7486979d9c3afff86913a9abe1a # v8 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: scan_type: full tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018 - checkov_exclude: CKV_GIT_1, CKV_AWS_23, CKV_AWS_261, CKV_AWS_150 - - uses: 8398a7/action-slack@a189acbf0b7ea434558662ae25a0de71df69a435 # v3.14.0 - name: Slack failure notification - with: - job_name: Terraform Static Analysis - scheduled scan of all directories - status: ${{ job.status }} - fields: workflow,job,repo,commit,message - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - if: ${{ failure() }} \ No newline at end of file + checkov_exclude: CKV_GIT_1