empayre/fleet
14
0
Fork 0
mirror of https://github.com/empayre/fleet.git synced 2024-11-06 00:45:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

[StepSecurity] Apply security best practices (#17811)

Browse Source
This commit is contained in:
StepSecurity Bot 2024-03-22 14:19:11 -07:00 committed by GitHub
parent 6ebc308eb4
commit 80335d88d1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 67 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/dependency-review.yml vendored Normal file
View File

@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: 'Checkout Repository'
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: 'Dependency Review'
uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1

35
.pre-commit-config.yaml Normal file
View File

@ -0,0 +1,35 @@
repos:
- repo: https://github.com/digitalpulp/pre-commit-php
rev: 1.4.0
hooks:
- id: php-lint-all
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v1.52.2
hooks:
- id: golangci-lint
- repo: https://github.com/jumanjihouse/pre-commit-hooks
rev: 3.0.0
hooks:
- id: RuboCop
- id: shellcheck
- repo: https://github.com/pocc/pre-commit-hooks
rev: v1.3.5
hooks:
- id: cpplint
- repo: https://github.com/pre-commit/mirrors-eslint
rev: v8.38.0
hooks:
- id: eslint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
- repo: https://github.com/pylint-dev/pylint
rev: v2.17.2
hooks:
- id: pylint

2
ee/vulnerability-dashboard/Dockerfile
View File

@ -1,5 +1,5 @@
# Use the official Node.js 14 image as a base # Use the official Node.js 14 image as a base
FROM node:20 FROM node:20@sha256:e06aae17c40c7a6b5296ca6f942a02e6737ae61bbbf3e2158624bb0f887991b5
# Set the working directory in the container # Set the working directory in the container
WORKDIR /usr/src/app WORKDIR /usr/src/app

4
infrastructure/kubequery/Dockerfile
View File

@ -5,7 +5,7 @@
# #
# SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only) # SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
FROM ubuntu:20.04 AS builder FROM ubuntu:20.04@sha256:80ef4a44043dec4490506e6cc4289eeda2d106a70148b74b5ae91ee670e9c35d AS builder
ARG BASEQUERY_VERSION=5.0.2 ARG BASEQUERY_VERSION=5.0.2
@ -15,7 +15,7 @@ RUN dpkg -i /tmp/basequery.deb
# ===== # =====
FROM uptycs/busybox:v1.33.0 FROM uptycs/busybox:v1.33.0@sha256:6a312f5959d374420eedce83f42d2ad19a027bd4e448ed734372bc1a07ad8b10
ARG BASEQUERY_VERSION ARG BASEQUERY_VERSION
ARG KUBEQUERY_VERSION ARG KUBEQUERY_VERSION

2
server/mdm/scep/Dockerfile
View File

@ -1,4 +1,4 @@
FROM alpine:3 FROM alpine:3@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
COPY ./scepclient-linux-amd64 /usr/bin/scepclient COPY ./scepclient-linux-amd64 /usr/bin/scepclient
COPY ./scepserver-linux-amd64 /usr/bin/scepserver COPY ./scepserver-linux-amd64 /usr/bin/scepserver

2
tools/tuf/test/Dockerfile
View File

@ -1,4 +1,4 @@
FROM debian:bookworm-slim FROM debian:bookworm-slim@sha256:ccb33c3ac5b02588fc1d9e4fc09b952e433d0c54d8618d0ee1afadf1f3cf2455
WORKDIR /usr/src/app WORKDIR /usr/src/app