Merge pull request #52 from rsksmart/scorecard

Scorecard

.github/dependabot.yml

@@ -0,0 +1,19 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+
+  # Maintain dependencies for npm and yarn
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/ci.yml

@@ -22,26 +22,26 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
         with:
           images: |
             ${{ env.LATEST_TAG }}
             ${{ env.TEST_TAG }}
 
       - name: Setup Docker BuildX
         id: setup-buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
         with:
           install: true
           driver-opts: network=host
           platforms: linux/amd64
 
       - name: Build and export locally Docker
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
         with:
           context: container-action/
           load: true
@@ -65,14 +65,14 @@ jobs:
           --rm ${{ env.TEST_TAG }} 
 
       - name: GitHub container registry login
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build the RIT Action Container Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
         with:
           context: container-action/
           tags: ${{ env.LATEST_TAG }}
@@ -89,7 +89,7 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Test RIT Action
         id: test-rit-action
@@ -114,10 +114,10 @@ jobs:
       steps:
           - name: Checkout
             id: checkout
-            uses: actions/checkout@v4
+            uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
           - name: Create GitHub Release
-            uses: actions/create-release@v1
+            uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
             env:
               GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
             with:

.github/workflows/codeql.yml

@@ -0,0 +1,44 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,14 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3

.github/workflows/scorecard.yml

@@ -0,0 +1,44 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '33 2 * * 2'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
+        with:
+          sarif_file: results.sarif

SECURITY.md

@@ -0,0 +1,27 @@
+# Reporting Security Issues
+
+The Rootstock team and community take security bugs in rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+
+
+## Responsible Disclosure
+
+For all security related issues, Rootstock Integration Tests has two main points of contact. Reach us at <[email protected]> or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rootstock-integration-tests/security/advisories/new) tab.
+
+The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+
+**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/rootstock-integration-tests/issues).
+
+## Vulnerability Handling
+
+### Response Time
+
+RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities:
+
+* Time to first response (from report submit) - 5 business days
+* Time to triage (from report submit) - 7 business days
+
+We’ll try to keep you informed about our progress throughout the process.
+
+### Disclose Policy
+
+Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/).

container-action/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:24.04 AS builder
+FROM ubuntu:24.04@sha256:2e863c44b718727c860746568e1d54afd13b2fa71b160f5cd9058fc436217b30 AS builder
 
 LABEL Description="Custom RSK node image to execute Rootstock Integration Tests"