diff --git a/.github/workflows/check-actions.yaml b/.github/workflows/check-actions.yaml index e409405f..7bd7aabe 100644 --- a/.github/workflows/check-actions.yaml +++ b/.github/workflows/check-actions.yaml @@ -11,6 +11,11 @@ jobs: check: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Ensure SHA pinned actions diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..ea4d0002 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 025e4e74..c95a1edb 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -11,6 +11,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Setup Go diff --git a/.github/workflows/pr-build.yaml b/.github/workflows/pr-build.yaml index 05b5899f..73170c54 100644 --- a/.github/workflows/pr-build.yaml +++ b/.github/workflows/pr-build.yaml @@ -13,6 +13,11 @@ jobs: build: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Setup Go @@ -73,6 +78,11 @@ jobs: matrix: profile: ${{ fromJson(needs.build.outputs.profiles) }} steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Download exporter container diff --git a/.github/workflows/pr-chart.yaml b/.github/workflows/pr-chart.yaml index 1f488498..7a862f4a 100644 --- a/.github/workflows/pr-chart.yaml +++ b/.github/workflows/pr-chart.yaml @@ -8,6 +8,11 @@ jobs: lint-test: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 with: diff --git a/.github/workflows/pr-label.yaml b/.github/workflows/pr-label.yaml index 703bff7d..0355fbf4 100644 --- a/.github/workflows/pr-label.yaml +++ b/.github/workflows/pr-label.yaml @@ -10,6 +10,11 @@ jobs: permissions: pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: size-label uses: "pascalgn/size-label-action@b1f4946f381d38d3b5960f76b514afdfef39b609" env: diff --git a/.github/workflows/pr-nancy.yaml b/.github/workflows/pr-nancy.yaml index 64d5d227..21a2233f 100644 --- a/.github/workflows/pr-nancy.yaml +++ b/.github/workflows/pr-nancy.yaml @@ -16,6 +16,11 @@ jobs: runs-on: ubuntu-latest name: Nancy steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Setup Go diff --git a/.github/workflows/pr-trivy.yaml b/.github/workflows/pr-trivy.yaml index 93f9d4be..3f151d4b 100644 --- a/.github/workflows/pr-trivy.yaml +++ b/.github/workflows/pr-trivy.yaml @@ -7,6 +7,11 @@ jobs: trivy: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Trivy fs scan uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2 with: diff --git a/.github/workflows/rebase.yaml b/.github/workflows/rebase.yaml index 35f5a105..36a6de42 100644 --- a/.github/workflows/rebase.yaml +++ b/.github/workflows/rebase.yaml @@ -13,6 +13,11 @@ jobs: if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase') && (github.event.comment.author_association == 'CONTRIBUTOR' || github.event.comment.author_association == 'MEMBER' || github.event.comment.author_association == 'OWNER') runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout the latest code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 with: diff --git a/.github/workflows/release-chart.yaml b/.github/workflows/release-chart.yaml index c7c89a3a..c2e4fa20 100644 --- a/.github/workflows/release-chart.yaml +++ b/.github/workflows/release-chart.yaml @@ -14,6 +14,11 @@ jobs: packages: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7b3f6b1a..5f7da88c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,6 +14,11 @@ jobs: name: Build runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 with: diff --git a/.github/workflows/report-on-vulnerabilities.yaml b/.github/workflows/report-on-vulnerabilities.yaml index 6532562f..6cc8fd6e 100644 --- a/.github/workflows/report-on-vulnerabilities.yaml +++ b/.github/workflows/report-on-vulnerabilities.yaml @@ -17,6 +17,11 @@ jobs: outputs: results: ${{ steps.parse-results.outputs.results }} steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Scan for vulnerabilities uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.8.0 (Trivy v0.34.0) with: @@ -55,6 +60,11 @@ jobs: permissions: issues: write steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Download scan diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml index aa46660e..96baaf27 100644 --- a/.github/workflows/scan.yaml +++ b/.github/workflows/scan.yaml @@ -15,6 +15,11 @@ jobs: name: FOSSA runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Run FOSSA scan and upload build data uses: fossa-contrib/fossa-action@6728dc6fe9a068c648d080c33829ffbe56565023 # v2.0.0 @@ -29,6 +34,11 @@ jobs: contents: read # for actions/checkout to fetch code security-events: write # for codeQL to write security events steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3 - name: Initialize CodeQL diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 9eca2364..9a9871d1 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -16,6 +16,11 @@ jobs: security-events: write id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..919f2c44 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,14 @@ +repos: +- repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks +- repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint +- repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace diff --git a/Dockerfile b/Dockerfile index d4a30528..d15c8953 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM gcr.io/distroless/static:nonroot +FROM gcr.io/distroless/static:nonroot@sha256:9ecc53c269509f63c69a266168e4a687c7eb8c0cfd753bd8bfcaa4f58a90876f WORKDIR / COPY mongodb-query-exporter mongodb-query-exporter EXPOSE 9412