From 8e66e34ccb36a8b2521f7a6220cce25ec020fcfd Mon Sep 17 00:00:00 2001 From: za Date: Mon, 3 Jan 2022 13:48:48 +0700 Subject: [PATCH 1/7] Update authorizing-oauth-apps.md Replace localhost with 127.0.0.1 --- .../apps/building-oauth-apps/authorizing-oauth-apps.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/developers/apps/building-oauth-apps/authorizing-oauth-apps.md b/content/developers/apps/building-oauth-apps/authorizing-oauth-apps.md index d390f9c8e5..2779cd7e7f 100644 --- a/content/developers/apps/building-oauth-apps/authorizing-oauth-apps.md +++ b/content/developers/apps/building-oauth-apps/authorizing-oauth-apps.md @@ -298,10 +298,10 @@ subdirectory of the callback URL. The optional `redirect_uri` parameter can also be used for localhost URLs. If the application specifies a localhost URL and a port, then after authorizing the application users will be redirected to the provided URL and port. The `redirect_uri` does not need to match the port specified in the callback url for the app. -For the `http://localhost/path` callback URL, you can use this `redirect_uri`: +For the `http://127.0.0.1/path` callback URL, you can use this `redirect_uri`: ``` -http://localhost:1234/path +http://127.0.0.1:1234/path ``` ## Creating multiple tokens for OAuth Apps From e0471a9d76ee201e801b94aa96e55d31f5efd978 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 31 Jan 2022 11:47:06 -0800 Subject: [PATCH 2/7] Add reference to scorecards scorecards can find issues related to token permissions and actions not pinned. --- .../security-guides/security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 13e8802953..0318732f5e 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -152,7 +152,7 @@ The scripts currently depend on the CodeQL JavaScript libraries, which means tha ### Restricting permissions for tokens -To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)." +To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)". To automatically push findings for token permissions to the Security tab of your project, consider using the [OpenSSF Scorecards action](https://github.blog/2022-01-19-reducing-security-risk-oss-actions-opensff-scorecards-v4/). Scorecards is an automated security tool that flags risky supply chain practices. {% ifversion fpt or ghec or ghae-issue-4856 %} From 9756942440292925d407b7ddaabf58a7b3512f5c Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 2 Feb 2022 12:11:50 -0800 Subject: [PATCH 3/7] Update security-hardening-for-github-actions.md Add a new section for scorecards --- .../security-guides/security-hardening-for-github-actions.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 0318732f5e..4ec52af591 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -202,6 +202,10 @@ The same principles described above for using third-party actions also apply to {% data reusables.actions.outside-collaborators-internal-actions %} For more information, see "[Sharing actions and workflows with your enterprise](/actions/creating-actions/sharing-actions-and-workflows-with-your-enterprise)." {% endif %} +## Using OpenSSF Scorecards to secure workflows + +Scorecards is an automated security tool that flags risky supply chain practices. You can use the Scorecards [GitHub Action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards Action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project makes a number of checks, including script injection attacks, token permissions, and pinned Actions. + ## Potential impact of a compromised runner These sections consider some of the steps an attacker can take if they're able to run malicious commands on a {% data variables.product.prodname_actions %} runner. From 691b0d2d7846b469f5a43cf84e0f85a4b14383c0 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Wed, 2 Feb 2022 12:20:35 -0800 Subject: [PATCH 4/7] Revert earlier changes First commit had included scorecards within token permissions. New commit adds it as a new section. So reverting changes from first commit. --- .../security-guides/security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 4ec52af591..81db8372f6 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -152,7 +152,7 @@ The scripts currently depend on the CodeQL JavaScript libraries, which means tha ### Restricting permissions for tokens -To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)". To automatically push findings for token permissions to the Security tab of your project, consider using the [OpenSSF Scorecards action](https://github.blog/2022-01-19-reducing-security-risk-oss-actions-opensff-scorecards-v4/). Scorecards is an automated security tool that flags risky supply chain practices. +To help mitigate the risk of an exposed token, consider restricting the assigned permissions. For more information, see "[Modifying the permissions for the GITHUB_TOKEN](/actions/reference/authentication-in-a-workflow#modifying-the-permissions-for-the-github_token)." {% ifversion fpt or ghec or ghae-issue-4856 %} From b719372dea098044b688db094cde6986f9e7cd44 Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Thu, 3 Feb 2022 12:02:31 -0700 Subject: [PATCH 5/7] Update for gradle/gradle-build-action@v2.1.3 --- .../building-and-testing-java-with-gradle.md | 6 +++--- .../publishing-java-packages-with-gradle.md | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md b/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md index 1160178a3c..ff3f745117 100644 --- a/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md +++ b/content/actions/automating-builds-and-tests/building-and-testing-java-with-gradle.md @@ -69,7 +69,7 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build ``` @@ -106,7 +106,7 @@ steps: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Run the Gradle package task - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: -b ci.gradle package ``` @@ -135,7 +135,7 @@ steps: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Build with Gradle - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: build - uses: actions/upload-artifact@v2 diff --git a/content/actions/publishing-packages/publishing-java-packages-with-gradle.md b/content/actions/publishing-packages/publishing-java-packages-with-gradle.md index b406a3b1a0..41f661c6f7 100644 --- a/content/actions/publishing-packages/publishing-java-packages-with-gradle.md +++ b/content/actions/publishing-packages/publishing-java-packages-with-gradle.md @@ -96,7 +96,7 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Publish package - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: @@ -167,7 +167,7 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Publish package - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: @@ -246,7 +246,7 @@ jobs: - name: Validate Gradle wrapper uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b - name: Publish package - uses: gradle/gradle-build-action@4137be6a8bf7d7133955359dbd952c0ca73b1021 + uses: gradle/gradle-build-action@937999e9cc2425eddc7fd62d1053baf041147db7 with: arguments: publish env: {% raw %} From c842b23ff35dcb4e7885c2e242fa4e9371158462 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 7 Feb 2022 12:09:59 -0800 Subject: [PATCH 6/7] Update content/actions/security-guides/security-hardening-for-github-actions.md Thanks for the suggestion... Co-authored-by: Edward Thomson --- .../security-guides/security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 81db8372f6..81a6b0471e 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -204,7 +204,7 @@ The same principles described above for using third-party actions also apply to ## Using OpenSSF Scorecards to secure workflows -Scorecards is an automated security tool that flags risky supply chain practices. You can use the Scorecards [GitHub Action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards Action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project makes a number of checks, including script injection attacks, token permissions, and pinned Actions. +Scorecards is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project makes a number of checks, including script injection attacks, token permissions, and pinned actions. ## Potential impact of a compromised runner From 8c3524acf44146517fce976f4f2507d1094737b5 Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 7 Feb 2022 15:35:34 -0800 Subject: [PATCH 7/7] Update security-hardening-for-github-actions.md Added a link to scorecard repo, and modified "makes a number of checks" to "runs a number of checks" --- .../security-guides/security-hardening-for-github-actions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/actions/security-guides/security-hardening-for-github-actions.md b/content/actions/security-guides/security-hardening-for-github-actions.md index 81a6b0471e..eacf476ed3 100644 --- a/content/actions/security-guides/security-hardening-for-github-actions.md +++ b/content/actions/security-guides/security-hardening-for-github-actions.md @@ -204,7 +204,7 @@ The same principles described above for using third-party actions also apply to ## Using OpenSSF Scorecards to secure workflows -Scorecards is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project makes a number of checks, including script injection attacks, token permissions, and pinned actions. +[Scorecards](https://github.com/ossf/scorecard) is an automated security tool that flags risky supply chain practices. You can use the [Scorecards action](https://github.com/marketplace/actions/ossf-scorecard-action) and [starter workflow](https://github.com/actions/starter-workflows) to follow best security practices. Once configured, the Scorecards action runs automatically on repository changes, and alerts developers about risky supply chain practices using the built-in code scanning experience. The Scorecards project runs a number of checks, including script injection attacks, token permissions, and pinned actions. ## Potential impact of a compromised runner