citgm icon indicating copy to clipboard operation
citgm copied to clipboard

Published 20 hours ago verified publisher icon nodejs

[StepSecurity] Apply security best practices

Open step-security-bot opened this issue 2 years ago • 1 comments

Summary

This pull request is created by Secure Repo at the request of @RafaelGSS. Please merge the Pull Request to incorporate the requested changes. Please tag @RafaelGSS on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Refs: https://github.com/nodejs/security-wg/issues/859

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

step-security-bot avatar Oct 10 '23 03:10 step-security-bot

Codecov Report

All modified lines are covered by tests :white_check_mark:

Comparison is base (b8193a7) 96.44% compared to head (d5f8b9a) 96.44%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1010   +/-   ##
=======================================
  Coverage   96.44%   96.44%           
=======================================
  Files          28       28           
  Lines        2139     2139           
=======================================
  Hits         2063     2063           
  Misses         76       76

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Oct 10 '23 03:10 codecov-commenter