Varun Sharma
Varun Sharma
### Description This PR adds minimum token permissions for the GITHUB_TOKEN in GitHub Actions workflows using https://github.com/step-security/secure-workflows. GitHub Actions workflows have a GITHUB_TOKEN with `write` access to multiple scopes. After...
**Is your feature request related to a problem? Please describe.** I would like to start a discussion to add more options for SAST tools. As of now, 3 tools are...
One might want to comment out an allowed endpoint or provide comments related to why it is needed. We should support comments for each line of the allowed endpoints using...
As of now harden runner blocks traffic at the DNS and network layers (layer 3 and 4). It would be desirable to enable blocking traffic using HTTP paths and verbs...
This could be if allowed endpoint is not entered correctly and cannot be resolved. Harden runner reverts instead of failing the build. Another scenario is when source code file is...
As an example, for this workflow, the insights API did not detect the call to the storage endpoint as the cache endpoint. https://app.stepsecurity.io/github/DataDog/stratus-red-team/actions/runs/3156772572 It was detected for the second run....
GitHub Actions jobs run with `sudo` access by default, but not all jobs need sudo access. If one of the dependencies or build tools run as part of the job...
- [ ] If no dependabot file is specified in `POST` request and no path is specified to a dependabot file, assume that dependabot file does not exist. - [...
`gh` CLI extension would be ideal since we will not need to solve for installation and authentication.
We currently allow disabling file monitoring all together for a job or exempt specific files across all workflows. There is a need to have a more granular exempt policy. We...