diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9b28445c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 07d2d7a0..54c7ad3e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,13 +8,14 @@ on: schedule: - cron: "39 5 * * 1" +# Declare default permissions as read only. +permissions: read-all + jobs: analyze: name: Analyze runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: @@ -24,19 +25,19 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0 if: ${{ matrix.language == 'python' }} - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 #v3.28.0 with: category: "/language:${{ matrix.language }}" \ No newline at end of file diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 1be1df43..2c04268e 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -4,6 +4,9 @@ on: push: branches: [ "master" ] +# Declare default permissions as read only. +permissions: read-all + jobs: coverage: name: Run tests and generate coverage reports @@ -11,13 +14,13 @@ jobs: steps: - name: Checkout this repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Build the middleware docker image run: docker/mware/build - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2 with: aws-access-key-id: ${{ secrets.CODECOVERAGE_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.CODECOVERAGE_AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..46e7022c --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,21 @@ +name: 'Dependency Review' +on: [pull_request] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/lint-c.yml b/.github/workflows/lint-c.yml index 3f6aec5c..623f05b0 100644 --- a/.github/workflows/lint-c.yml +++ b/.github/workflows/lint-c.yml @@ -2,6 +2,9 @@ name: Lint C code on: [push] +# Declare default permissions as read only. +permissions: read-all + jobs: run-c-linter: name: Run C linter @@ -9,7 +12,7 @@ jobs: steps: - name: Checkout this repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Build the ledger docker image run: docker/ledger/build diff --git a/.github/workflows/lint-python.yml b/.github/workflows/lint-python.yml index b20db7f0..5a113771 100644 --- a/.github/workflows/lint-python.yml +++ b/.github/workflows/lint-python.yml @@ -2,6 +2,9 @@ name: Lint Python code on: [push] +# Declare default permissions as read only. +permissions: read-all + jobs: run-python-linter: name: Run Python linter @@ -9,7 +12,7 @@ jobs: steps: - name: Checkout this repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Build the middleware docker image run: docker/mware/build diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml index 336d189d..93a80949 100644 --- a/.github/workflows/run-tests.yml +++ b/.github/workflows/run-tests.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "17 6 * * *" +# Declare default permissions as read only. +permissions: read-all + jobs: run-unit-tests: name: Unit tests @@ -12,7 +15,7 @@ jobs: steps: - name: Checkout this repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Build the middleware docker image run: docker/mware/build @@ -44,7 +47,7 @@ jobs: steps: - name: Checkout rsk-powhsm repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: path: rsk-powhsm @@ -57,7 +60,7 @@ jobs: firmware/build/build-tcpsigner - name: Checkout hsm-integration-test repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: repository: rootstock/hsm-integration-test ref: 5.1.0.plus diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..b1415a92 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + with: + sarif_file: results.sarif diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index c8ecd73f..0088aa69 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -4,6 +4,9 @@ on: push: branches: [ "master" ] +# Declare default permissions as read only. +permissions: read-all + jobs: static-analysis: name: Run ledger static analysis @@ -11,7 +14,7 @@ jobs: steps: - name: Checkout this repo - uses: actions/checkout@v3 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Build the ledger docker image run: docker/ledger/build @@ -23,7 +26,7 @@ jobs: firmware/static-analysis/gen-static-analysis - name: Upload static analysis reports - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b #v4.5.0 with: name: static-analysis-reports path: firmware/static-analysis/output diff --git a/dist/Dockerfile b/dist/Dockerfile index 1a21c3f0..0205a611 100644 --- a/dist/Dockerfile +++ b/dist/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb RUN apt-get update && \ apt-get install -y gnupg2 diff --git a/docker/ledger/Dockerfile b/docker/ledger/Dockerfile index 12f4894b..7b96c893 100644 --- a/docker/ledger/Dockerfile +++ b/docker/ledger/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:20.04 +FROM ubuntu:20.04@sha256:8e5c4f0285ecbb4ead070431d29b576a530d3166df73ec44affc1cd27555141b WORKDIR /opt diff --git a/docker/mware/Dockerfile b/docker/mware/Dockerfile index b9bad088..1f2f864f 100644 --- a/docker/mware/Dockerfile +++ b/docker/mware/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.12-slim-bookworm +FROM python:3.12-slim-bookworm@sha256:10f3aaab98db50cba827d3b33a91f39dc9ec2d02ca9b85cbc5008220d07b17f3 WORKDIR /hsm2 diff --git a/docker/packer/Dockerfile b/docker/packer/Dockerfile index b2834188..5001c0eb 100644 --- a/docker/packer/Dockerfile +++ b/docker/packer/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-slim +FROM debian:bookworm-slim@sha256:d365f4920711a9074c4bcd178e8f457ee59250426441ab2a5f8106ed8fe948eb WORKDIR /hsm2