From d5f086763e83c1bd2946a0a9eb02c4a7de091ef8 Mon Sep 17 00:00:00 2001 From: "stepsecurity-app[bot]" <188008098+stepsecurity-app[bot]@users.noreply.github.com> Date: Mon, 4 May 2026 15:04:49 +0000 Subject: [PATCH 1/2] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/dependabot.yml | 498 +++++++++++++++++++ .github/workflows/build.yml | 14 +- .github/workflows/build_v5_screener_imgs.yml | 14 +- .github/workflows/ci_build.yml | 27 +- .github/workflows/test.yml | 12 +- .pre-commit-config.yaml | 16 + nextjs/Dockerfile | 6 +- 7 files changed, 569 insertions(+), 18 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..393959a4 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,498 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /express4 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /express5 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /fastify3 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /fastify4 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /fastify4ts + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /hapi18 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /hapi19 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /hapi20 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /hapi21 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /koa2 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /koa3 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /kraken + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /loopback + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /loopback4 + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /nextjs + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: / + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /restify + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /sails + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react + + - package-ecosystem: npm + directory: /test-bench-utils + schedule: + interval: daily + groups: + dev-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: development + production-dependencies: + applies-to: version-updates + patterns: + - '*' + dependency-type: production + cooldown: + default-days: 7 + semver-major-days: 30 + semver-minor-days: 14 + semver-patch-days: 5 + include: + - '*' + exclude: + - react diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d571490f..ea8acd72 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -4,6 +4,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: build-and-push: runs-on: ubuntu-latest @@ -14,17 +17,22 @@ jobs: apps: [express4,express5,fastify3,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails] version: [14, 16, 18, 20] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Build, tag, and push image ${{ matrix.apps }} version ${{ matrix.version }} to Amazon ECR env: diff --git a/.github/workflows/build_v5_screener_imgs.yml b/.github/workflows/build_v5_screener_imgs.yml index dcd4df20..23c22a04 100644 --- a/.github/workflows/build_v5_screener_imgs.yml +++ b/.github/workflows/build_v5_screener_imgs.yml @@ -4,6 +4,9 @@ on: push: branches: - main +permissions: + contents: read + jobs: build-and-push: runs-on: ubuntu-latest @@ -14,17 +17,22 @@ jobs: apps: [express4,express5,fastify3,fastify4,koa2,koa3,hapi20,hapi21] version: [18, 20, 22, 24] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Build, tag, and push image ${{ matrix.apps }} version ${{ matrix.version }} to Amazon ECR env: diff --git a/.github/workflows/ci_build.yml b/.github/workflows/ci_build.yml index f4544f43..6c649563 100644 --- a/.github/workflows/ci_build.yml +++ b/.github/workflows/ci_build.yml @@ -7,22 +7,30 @@ on: pull_request: types: - labeled +permissions: + contents: read + jobs: build-test-bench-utils: if: ${{ github.event.label.name == 'ci-test' }} runs-on: ubuntu-latest steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Clone repo - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Node v${{ matrix.version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 - name: Build test-bench-utils run: | cd test-bench-utils mkdir artifacts npm pack - name: Upload artifacts - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1 with: name: contrast-test-bench-utils.tgz path: test-bench-utils/contrast-test-bench-utils-*.tgz @@ -36,22 +44,27 @@ jobs: apps: [express4,express5,fastify3,fastify4,hapi18,hapi19,hapi20,koa,kraken,loopback,loopback4,restify,sails] version: [14, 16, 18, 20] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Download test-bench-utils - uses: actions/download-artifact@v2 + uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1 with: name: contrast-test-bench-utils.tgz path: ${{ matrix.apps }}/ - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.AWS_DEFAULT_REGION }} - name: Login to Amazon ECR id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 + uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1.7.1 - name: Build, tag, and push image ${{ matrix.apps }} version ${{ matrix.version }} to Amazon ECR env: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fe012f3a..2b636938 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,6 +6,9 @@ on: pull_request: branches: ["*"] +permissions: + contents: read + jobs: test: name: Node v${{ matrix.version }} @@ -14,10 +17,15 @@ jobs: matrix: version: [18, 20, 22, 24] steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Node v${{ matrix.version }} - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: ${{ matrix.version }} - name: Install dependencies diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ccae4ae6..f03dcef2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,3 +7,19 @@ repos: language: python entry: detect-secrets-hook args: ['--baseline', '.secrets.baseline'] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck + - repo: https://github.com/pre-commit/mirrors-eslint + rev: v8.38.0 + hooks: + - id: eslint + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer diff --git a/nextjs/Dockerfile b/nextjs/Dockerfile index 44fc7b03..4496c848 100644 --- a/nextjs/Dockerfile +++ b/nextjs/Dockerfile @@ -1,19 +1,19 @@ # Install dependencies only when needed -FROM node:alpine AS deps +FROM node:alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS deps RUN apk add --no-cache libc6-compat WORKDIR /app COPY package.json package-lock.json ./ RUN npm ci # Rebuild the source code only when needed -FROM node:alpine AS builder +FROM node:alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS builder WORKDIR /app COPY . . COPY --from=deps /app/node_modules ./node_modules RUN npm run build && npm install --production --ignore-scripts # Production image, copy all the files and run next -FROM node:alpine AS runner +FROM node:alpine@sha256:bdf2cca6fe3dabd014ea60163eca3f0f7015fbd5c7ee1b0e9ccb4ced6eb02ef4 AS runner WORKDIR /app ENV NODE_ENV production From 4b4468117fd9a6ce306a8ee9283b4ad2584f7580 Mon Sep 17 00:00:00 2001 From: Naomi not Niomi Date: Wed, 13 May 2026 13:06:40 -0400 Subject: [PATCH 2/2] Update .pre-commit-config.yaml --- .pre-commit-config.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f03dcef2..c604b774 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,18 +8,14 @@ repos: entry: detect-secrets-hook args: ['--baseline', '.secrets.baseline'] - repo: https://github.com/gitleaks/gitleaks - rev: v8.16.3 + rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e # v8.30.1 hooks: - id: gitleaks - - repo: https://github.com/jumanjihouse/pre-commit-hooks - rev: 3.0.0 - hooks: - - id: shellcheck - repo: https://github.com/pre-commit/mirrors-eslint - rev: v8.38.0 + rev: 9158d5162f915488785c296b5d08d6d18be10d32 # v10.3.0 hooks: - id: eslint - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.4.0 + rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 hooks: - id: end-of-file-fixer