Abstract
To the extend dotfiles need a security policy, this is it.
Security Policy#
Automation#
Find and use all of the automated security checks that are relevant and available to an open source repository.
Bandit#
Not much Python in here, but it’s worth scanning anyway.
- name
Bandit
This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
Bandit is a security linter designed to find common security issues in Python code. This action will run Bandit on your codebase. The results of the scan will be found under the Security tab of your repository.
bandit-scan is ISC licensed, by abirismyname bandit is Apache v2.0 licensed, by PyCQA
name: Bandit permissions: contents: read on: push: branches: [ "main" ] pull_request: # The branches below must be a subset of the branches above branches: [ "main" ] schedule: - cron: '32 4 * * 4'
- jobs
Bandit Jobs
Define the jobs necessary for a useful bandit run.
jobs: bandit: permissions: # for actions/checkout to fetch code contents: read # for github/codeql-action/upload-sarif to upload SARIF results security-events: write # only required for a private repository by # github/codeql-action/upload-sarif to get the Action run status actions: read runs-on: ubuntu-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 # main - name: Bandit Scan uses: shundor/python-bandit-scan@ab1d87dfccc5a0ffab88be3aaac6ffe35c10d6cd # main # optional arguments with: # exit with 0, even with results found exit_zero: true # optional, default is DEFAULT # File or directory to run bandit on # path: # optional, default is . # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) # level: # optional, default is UNDEFINED # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) # confidence: # optional, default is UNDEFINED # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) # excluded_paths: # optional, default is DEFAULT # comma-separated list of test IDs to skip # skips: # optional, default is DEFAULT # path to a .bandit file that supplies command line arguments # ini_path: # optional, default is DEFAULT # Github token of the repository (automatically created by Github) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
Scorecard#
FOSS is great when you’re broke.
- name
SSS
This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
name: Scorecard supply-chain security on: ### # To guarantee Maintained check is occasionally updated. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained pull_request: branches: ["main"] permissions: read-all
- jobs
Jobs for SSS
Define the jobs for the SSS action
jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: results_file: results.sarif results_format: sarif # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecard on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. # repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers # - Allows the repository to include the Scorecard badge. # - See https://github.com/ossf/scorecard-action#publishing-results. # For private repositories: # - `publish_results` will always be set to `false`, regardless # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: SARIF file path: results.sarif retention-days: 5 # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 with: sarif_file: results.sarif
OSSAR#
- name
OSSAR
This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
This workflow integrates a collection of open source static analysis tools with GitHub code scanning. For documentation, or to provide feedback, visit github/ossar-action
name: OSSAR permissions: contents: read on: push: branches: [ "main" ] pull_request:
- jobs
OSSAR Jobs
Define the jobs necessary for a useful ossar run.
jobs: OSSAR-Scan: ### # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon permissions: ### # for actions/checkout to fetch code contents: read ### # for github/codeql-action/upload-sarif to upload SARIF results security-events: write ### # only required for a private repository by # github/codeql-action/upload-sarif to get the Action run status actions: read runs-on: windows-latest steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 # main ### # Ensure a compatible version of dotnet is installed. # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) # is built with dotnet v3.1.201. # A version greater than or equal to v3.1.201 of dotnet must be installed # on the agent in order to run this action. # GitHub hosted runners already have a compatible version of dotnet # installed and this step may be skipped. # For self-hosted runners, ensure dotnet version 3.1.201 or later is # installed by including this action: # ```{code-block} yaml # - name: Install .NET # uses: actions/setup-dotnet@v2 # with: # dotnet-version: '3.1.x' # ``` # # Run open source static analysis tools - name: Run OSSAR uses: github/ossar-action@4e96c4f6e591eb4b991abfd459e40b136a317aea # main id: ossar ### # Upload results to the Security tab - name: Upload OSSAR results uses: github/codeql-action/upload-sarif@396fd27c308b7ab96df64e7e4cb9a7c6e22f4ebc # main with: sarif_file: ${{ steps.ossar.outputs.sarifFile }}
Reporting a Vulnerability#
No one should be using the code in this repository for anything, but if you are for some reason doing so and you notice a problem, please create an issue in the repository’s issue tracker.