OSSF Scorecard (#233)

* Implement scorecard

* Implement dependency review

* Configure dependabot

* Pin actions/checkout version to 11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2

* Pin github/codeql-action version to 48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0

* Pin  aws-actions/configure-aws-credentials version to e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2

* Pin actions/upload-artifact version to 6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0

* Pin debian bookworm-slim version to sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb

* Pin ubuntu 20.04 version to sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b

* Pin python 3.12-slim-bookworm version to sha256:10f3aaab98db50cba827d3b33a91f39dc9ec2d02ca9b85cbc5008220d07b17f3

* Properly set workflow permissions

.github/dependabot.yml

@@ -0,0 +1,13 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  # Maintain dependencies for Docker
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/codeql.yml

@@ -8,13 +8,14 @@ on:
   schedule:
     - cron: "39 5 * * 1"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     strategy:
@@ -24,19 +25,19 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0
         with:
           languages: ${{ matrix.language }}
           queries: +security-and-quality
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
+        uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0
         if: ${{ matrix.language == 'python' }}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/coverage.yml

@@ -4,20 +4,23 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   coverage:
     name: Run tests and generate coverage reports
     runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout this repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Build the middleware docker image
         run: docker/mware/build
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
         with:
           aws-access-key-id: ${{ secrets.CODECOVERAGE_AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.CODECOVERAGE_AWS_SECRET_ACCESS_KEY }}

.github/workflows/dependency-review.yml

@@ -0,0 +1,21 @@
+name: 'Dependency Review'
+on: [pull_request]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: true

.github/workflows/lint-c.yml

@@ -2,14 +2,17 @@ name: Lint C code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-c-linter:
     name: Run C linter
     runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout this repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Build the ledger docker image
         run: docker/ledger/build

.github/workflows/lint-python.yml

@@ -2,14 +2,17 @@ name: Lint Python code
 
 on: [push]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-python-linter:
     name: Run Python linter
     runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout this repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Build the middleware docker image
         run: docker/mware/build

.github/workflows/run-tests.yml

@@ -5,14 +5,17 @@ on:
   schedule:
     - cron: "17 6 * * *"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   run-unit-tests:
     name: Unit tests
     runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout this repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Build the middleware docker image
         run: docker/mware/build
@@ -44,7 +47,7 @@ jobs:
 
     steps:
       - name: Checkout rsk-powhsm repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           path: rsk-powhsm
 
@@ -57,7 +60,7 @@ jobs:
           firmware/build/build-tcpsigner
 
       - name: Checkout hsm-integration-test repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           repository: rootstock/hsm-integration-test
           ref: 5.1.0.plus

.github/workflows/scorecard.yml

@@ -0,0 +1,47 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '33 2 * * 2'
+  push:
+    branches: [ "master" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
+        with:
+          sarif_file: results.sarif

.github/workflows/static-analysis.yml

@@ -4,14 +4,17 @@ on:
   push:
     branches: [ "master" ]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   static-analysis:
     name: Run ledger static analysis
     runs-on: ubuntu-20.04
 
     steps:
       - name: Checkout this repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
 
       - name: Build the ledger docker image
         run: docker/ledger/build
@@ -23,7 +26,7 @@ jobs:
           firmware/static-analysis/gen-static-analysis
       
       - name: Upload static analysis reports
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0
         with:
           name: static-analysis-reports
           path: firmware/static-analysis/output

dist/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb
 
 RUN apt-get update && \
     apt-get install -y gnupg2

docker/ledger/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:20.04
+FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b
 
 WORKDIR /opt
 

docker/mware/Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.12-slim-bookworm
+FROM python:3.12-slim-bookworm@sha256:10f3aaab98db50cba827d3b33a91f39dc9ec2d02ca9b85cbc5008220d07b17f3
 
 WORKDIR /hsm2
 

docker/packer/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb
 
 WORKDIR /hsm2