diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..3e9c043 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,23 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + include: + - '*' + exclude: + - react diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml index 98808de..1762730 100644 --- a/.github/workflows/dotnet.yml +++ b/.github/workflows/dotnet.yml @@ -7,6 +7,9 @@ on: branches: [ master ] workflow_dispatch: {} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -17,27 +20,32 @@ jobs: IMAGE_NAME: ghcr.io/${{ github.repository }} PUBLISH: ${{ github.ref == 'refs/heads/master' }} steps: - - uses: actions/checkout@v2 - - uses: docker/setup-buildx-action@v2 + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0 id: buildx with: install: true version: latest - - uses: docker/login-action@v2 + - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0 if: ${{ env.PUBLISH }} with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0 with: images: ${{ env.IMAGE_NAME }} tags: | type=sha type=edge type=raw,value=latest,enable={{is_default_branch}} - - uses: docker/build-push-action@v3 + - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 id: build with: file: Dockerfile diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a462c22 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,17 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck +- repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer diff --git a/Dockerfile b/Dockerfile index da2be6f..f42aa55 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # https://hub.docker.com/_/microsoft-dotnet -FROM mcr.microsoft.com/dotnet/sdk:7.0 AS build +FROM mcr.microsoft.com/dotnet/sdk:7.0@sha256:d32bd65cf5843f413e81f5d917057c82da99737cb1637e905a1a4bc2e7ec6c8d AS build WORKDIR ./sources # copy everything else and build app @@ -8,7 +8,7 @@ WORKDIR ./sources/WebGoat.NET RUN dotnet publish -c release -o /app # final stage/image -FROM mcr.microsoft.com/dotnet/aspnet:7.0 +FROM mcr.microsoft.com/dotnet/aspnet:7.0@sha256:c7d9ee6cd01afe9aa80642e577c7cec9f5d87f88e5d70bd36fd61072079bc55b WORKDIR /app COPY --from=build /app ./