diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b2974e49d..c5e77bf4b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -31,4 +31,69 @@ updates: groups: github-actions: patterns: - - "*" \ No newline at end of file + - "*" + + - package-ecosystem: docker + directory: / + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.Core/src + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.Core/tests + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/examples/Fido2SampleCode + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/examples/OathSampleCode + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/examples/PivSampleCode + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/examples/SharedSampleCode + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/examples/U2fSampleCode + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/src + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/tests/integration + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/tests/sandbox + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/tests/unit + schedule: + interval: daily + + - package-ecosystem: nuget + directory: /Yubico.YubiKey/tests/utilities + schedule: + interval: daily diff --git a/.github/workflows/build-nativeshims.yml b/.github/workflows/build-nativeshims.yml index 8970eba2c..149e3161d 100644 --- a/.github/workflows/build-nativeshims.yml +++ b/.github/workflows/build-nativeshims.yml @@ -29,11 +29,19 @@ on: schedule: - cron: '0 0 * * *' # Every day at midnight +permissions: + contents: read + jobs: build-windows: name: Build Windows runs-on: windows-2022 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false @@ -79,6 +87,11 @@ jobs: name: Build Linux (amd64) runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false @@ -231,6 +244,11 @@ jobs: name: Build Linux (arm64) runs-on: ubuntu-24.04 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false @@ -304,7 +322,7 @@ jobs: bash ./build-linux-arm64.sh fi - name: Set up QEMU for ARM64 testing - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 with: platforms: arm64 - name: Test on Ubuntu 18.04 (glibc 2.27) @@ -387,6 +405,11 @@ jobs: name: Build macOS runs-on: macos-14 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false @@ -421,6 +444,11 @@ jobs: PACKAGE_VERSION: ${{ github.event.inputs.version != '' && github.event.inputs.version || '1.0.0' }} GITHUB_REPO_URL: https://github.com/${{ github.repository }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Download contents, set metadata and package uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - run: | @@ -460,6 +488,11 @@ jobs: packages: write if: ${{ github.event.inputs.push-to-dev == 'true' }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: NuGet Package NativeShims diff --git a/.github/workflows/build-pull-requests.yml b/.github/workflows/build-pull-requests.yml index 52ab19b9b..3e4ce8335 100644 --- a/.github/workflows/build-pull-requests.yml +++ b/.github/workflows/build-pull-requests.yml @@ -47,6 +47,11 @@ jobs: needs: run-tests steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b08e17032..58abc6d9a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -48,6 +48,9 @@ on: schedule: - cron: '0 0 * * *' # Every day at midnight +permissions: + contents: read + jobs: run-tests: name: Run tests @@ -76,6 +79,11 @@ jobs: symbols-packages-id: ${{ steps.symbols-upload.outputs.artifact-id }} assemblies-id: ${{ steps.assemblies-upload.outputs.artifact-id }} steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false @@ -187,6 +195,11 @@ jobs: contents: read packages: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: name: Nuget Packages @@ -209,6 +222,11 @@ jobs: needs: [run-tests, build-artifacts, publish-internal, upload-docs] if: always() steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Generate build summary env: # Pass job results into the environment diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml index 64e5fbe76..91b08c700 100644 --- a/.github/workflows/claude.yml +++ b/.github/workflows/claude.yml @@ -10,6 +10,9 @@ on: pull_request_review: types: [submitted] +permissions: + contents: read + jobs: claude: if: | @@ -25,6 +28,11 @@ jobs: id-token: write actions: read # Required for Claude to read CI results on PRs steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 2661b92f3..b8546b4e5 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -54,6 +54,11 @@ jobs: runs-on: windows-2022 steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..d9284f67a --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2 diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index f6135d57c..a6a309006 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -26,6 +26,11 @@ jobs: runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Check out current repo uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: @@ -82,6 +87,11 @@ jobs: needs: deploy steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 0eb0df465..bf7e0e54d 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,6 +34,11 @@ jobs: # actions: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -74,6 +79,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@497990dfed22177a82ba1bbab381bc8f6d27058f # v3.31.6 with: sarif_file: results.sarif diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml index f414e7b4e..8bafbaac1 100644 --- a/.github/workflows/test-macos.yml +++ b/.github/workflows/test-macos.yml @@ -18,6 +18,9 @@ on: workflow_dispatch: workflow_call: +permissions: + contents: read + jobs: test: name: MacOS @@ -27,6 +30,11 @@ jobs: packages: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/.github/workflows/test-ubuntu.yml b/.github/workflows/test-ubuntu.yml index 9a0bf445a..6abd15d77 100644 --- a/.github/workflows/test-ubuntu.yml +++ b/.github/workflows/test-ubuntu.yml @@ -18,6 +18,9 @@ on: workflow_dispatch: workflow_call: +permissions: + contents: read + jobs: test: name: Ubuntu @@ -27,6 +30,11 @@ jobs: packages: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 0c9d90be4..6b5958522 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -18,6 +18,9 @@ on: workflow_dispatch: workflow_call: +permissions: + contents: read + jobs: test: name: Windows @@ -27,6 +30,11 @@ jobs: contents: read steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7390c18c7..75d0f8924 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -82,6 +82,11 @@ jobs: if: inputs.build-coverage-report == true steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - name: Combine Coverage Reports # This is because one report is produced per project, and we want one result for all of them. uses: danielpalme/ReportGenerator-GitHub-Action@dcdfb6e704e87df6b2ed0cf123a6c9f69e364869 # 5.5.0 @@ -121,6 +126,11 @@ jobs: if: github.event_name == 'pull_request' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - name: Download coverage results uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 with: @@ -139,6 +149,11 @@ jobs: if: github.event_name == 'pull_request' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 - name: "Add PR Comment: Test Results (Windows)" diff --git a/.github/workflows/upload-docs.yml b/.github/workflows/upload-docs.yml index fb3b0e5c1..164a1ddd0 100644 --- a/.github/workflows/upload-docs.yml +++ b/.github/workflows/upload-docs.yml @@ -44,6 +44,11 @@ jobs: image-hash: ${{ steps.push_image.outputs.imagehash }} steps: # Checkout the local repository as we need the Dockerfile and other things even for this step. + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/.github/workflows/verify-code-style.yml b/.github/workflows/verify-code-style.yml index b1fd15548..1cd62be0d 100644 --- a/.github/workflows/verify-code-style.yml +++ b/.github/workflows/verify-code-style.yml @@ -27,12 +27,20 @@ on: # - '**.csproj' # - '**.sln' # - '.github/workflows/check-code-formatting.yml' +permissions: + contents: read + jobs: verify-code-style: name: "Verify code style" runs-on: windows-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3 + with: + egress-policy: audit + - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false diff --git a/Dockerfile b/Dockerfile index bea9986d0..c9ba14e22 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM nginx:alpine +FROM nginx:alpine@sha256:b3c656d55d7ad751196f21b7fd2e8d4da9cb430e32f646adcf92441b72f82b14 ARG UID=1000 ARG GID=1000