nodejs / api-docs-tooling

Node.js's tooling for API generation
https://nodejs.org/api
MIT License
5 stars 5 forks source link

[StepSecurity] ci: Harden GitHub Actions #114

Closed step-security-bot closed 1 month ago

step-security-bot commented 1 month ago

Summary

This pull request is created by StepSecurity at the request of @AugustinMauroy. Please merge the Pull Request to incorporate the requested changes. Please tag @AugustinMauroy on your message if you have any questions related to the PR.

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access.

Harden runner usage You can find link to view insights and policy recommendation in the build log Please refer to [documentation](https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security) to find more details.

Feedback

For bug reports, feature requests, and general feedback; please email support@stepsecurity.io. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io