chore(security): evaluate items of 2021-10-22-github-actions-for-security-compliance

[petermetz]

Description

As a maintainer I want to continually improve our security posture/processes so that the probability of bad things happening vulnerabilities-wise is lower (will never be zero but we should put in the effort to reduce risk)

There's a list of things projects can do summed up in this excellent blog post which provides the checklist for this task: https://github.blog/2021-10-22-github-actions-for-security-compliance/

I haven't read the post in detail and therefore I'm not even sure if all of the recommendations apply or if we already have all of them covered/in place. The task here first is to determine the answers to these questions as well and then create follow-up tasks for the specific individual items as necessary.

Acceptance Criteria

1. Analysis was performed after having read the post.
2. Results of the analysis are noted down here in a comment on a per recommendation basis with outcomes like "We need this" / "We already have this" / "This does not apply" (for the last one there has to be of course a proper explanation attached as well.

[ruzell22]

Hello, I would like to work on this. Thank you

[zondervancalvez]

Hi @petermetz, below is my analysis from the blog. Let me know if you have any concerns.

To enhance our project's security posture, I have analyzed the recommendations from the GitHub blog post "GitHub Actions for security and compliance" . For each recommendation, I have determine its applicability to our project and note whether it's already implemented, needed, or not applicable.

[We need this]

1. Use Dependabot to keep your actions up to date Description: Dependabot helps in automatically updating our dependencies, including GitHub Actions, to mitigate vulnerabilities. Action: I don't know if this is enabled in the main branch. But, we can configure Dependabot for our repository to monitor and update GitHub Actions dependencies.

2. Monitor our workflows Description: Regularly review and monitor our workflows for any unexpected changes or behaviors. Action: Implement a process to periodically review your workflows and set up alerts for any unauthorized modifications.

[We already have this]

1. Verify if actions are pinned to commit SHAs Description: Pinning actions to a specific commit SHA ensures that the exact version of the action is used, preventing unexpected changes or potential vulnerabilities from newer versions.

2. Set up branch protection rules Description: Branch protection rules help prevent unauthorized changes to your codebase by enforcing requirements such as pull request reviews and status checks before merging.

3. Use secrets for sensitive data Description: Store sensitive information, like API keys or tokens, in GitHub Secrets to prevent exposure in your codebase.

4. Limit permissions for GitHub Actions Description: Configure the permissions for the GITHUB_TOKEN and other credentials to the minimum required for your workflows.

5. Stay informed about security advisories Description: Keep up-to-date with security advisories related to GitHub Actions and your project's dependencies.

[This does not apply]

1. Use environment protection rules Description: Environment protection rules, such as required reviewers or wait times, add an extra layer of control before deploying to sensitive environments. Explanation: Since our project does not deploy to environments where such protections are applicable, this recommendation may not be relevant.

[petermetz]

@zondervancalvez Thank you very much and sorry for the slow response, LGTM!