Varun Sharma
Varun Sharma
This is related to the policy store feature https://github.com/step-security/harden-runner/issues/217. As of now, any user in the org where the app is installed can view and modify policy, but we do...
This file can either be in the same or a separate repository. It can then be referenced by harden-runner using the `policy` attribute. Currently, the `policy` attribute only fetches the...
https://app.stepsecurity.io/github/statnett/image-scanner-operator/actions/runs/3953485836 There are two odd things: 1. Domain is not shown for a few calls made by trivy 2. Port 9 is being called, which is not typical We need...
This PR 1. Adds [harden-runner](https://github.com/step-security/harden-runner) GitHub Action to the workflow. 2. Sets the token permission for the workflow to `contents: read`. This is a security best practice and gets you...
This PR 1. Adds [harden-runner](https://github.com/step-security/harden-runner) GitHub Action to the workflow. 2. Sets the token permission for the workflow to `contents: read`. This is a security best practice and gets you...
Ideally, the secrets should be encrypted end-to-end so the backend API cannot access them. Only the GitHub Action should be able to decrypt the secrets.
We need to think more about how to do this, but it would be interesting to provide the GitHub token of the user using the browser and publish a release...
**Is your feature request related to a problem? Please describe.** In the future the Token-Permissions check will give different scores depending on how well the best practices has been followed....