[StepSecurity] Apply security best practices (#17)

Signed-off-by: StepSecurity Bot <[email protected]>
intel · Feb 27, 2024 · c75c804 · c75c804
1 parent 94a79bf
commit c75c804
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 8 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -14,3 +14,33 @@ updates:
     directory: /
     schedule:
       interval: daily
+
+  - package-ecosystem: gomod
+    directory: /ipu-device-plugin
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /ipu-device-plugin/images
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /ipu-plugin
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /ipu-plugin/images
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /sriov_cni
+    schedule:
+      interval: daily
+
+  - package-ecosystem: gomod
+    directory: /sriov_cni
+    schedule:
+      interval: daily
diff --git a/.github/workflows/static-scan.yml b/.github/workflows/static-scan.yml
@@ -5,8 +5,13 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: '1.21'
           cache: false
@@ -32,16 +37,26 @@ jobs:
     env:
       SHELLCHECK_OPTS: -e SC3037 # disabled because of false issue in entrypoint.sh
     steps:
-    - uses: actions/checkout@v4
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Run ShellCheck
-      uses: ludeeus/action-shellcheck@master
+      uses: ludeeus/action-shellcheck@cd81f4475ab741e097ec0fe73b692f3e49d66b8c # master
 
   hadolint:
     runs-on: ubuntu-latest
     name: Hadolint
     env:
       HADOLINT_RECURSIVE: "true"
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
     - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
       name: Run Hadolint

diff --git a/ipu-device-plugin/images/Dockerfile b/ipu-device-plugin/images/Dockerfile
@@ -1,4 +1,4 @@
-FROM golang:1.20-alpine as builder
+FROM golang:1.20-alpine@sha256:e47f121850f4e276b2b210c56df3fda9191278dd84a3a442bfe0b09934462a8f as builder
 COPY . /usr/src/ipu-device-plugin
 
 ENV HTTP_PROXY $http_proxy
@@ -9,7 +9,7 @@ WORKDIR /usr/src/ipu-device-plugin
 
 RUN make build
 
-FROM alpine:3
+FROM alpine:3@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
 
 COPY --from=builder /usr/src/ipu-device-plugin/build/ipu-dp /usr/bin/
 WORKDIR /

diff --git a/ipu-plugin/images/Dockerfile b/ipu-plugin/images/Dockerfile
@@ -1,6 +1,6 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) 2024 Intel Corporation
-FROM golang:1.20-alpine as builder
+FROM golang:1.20-alpine@sha256:e47f121850f4e276b2b210c56df3fda9191278dd84a3a442bfe0b09934462a8f as builder
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -14,7 +14,7 @@ RUN go mod download
 RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o bin/ipuplugin ipuplugin/main.go
 
 
-FROM alpine:3
+FROM alpine:3@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
 
 COPY --from=builder /usr/src/ipu-opi-plugin/bin/ipuplugin /usr/bin/
 WORKDIR /