[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by Secure Repo at the request of @RafaelGSS. Please merge the Pull Request to incorporate the requested changes. Please tag @RafaelGSS on your message if you have any questions related to the PR. You can also engage with the StepSecurity team by tagging @step-security-bot.

Refs: nodejs/security-wg#859

Security Fixes

Least Privileged GitHub Actions Token Permissions

The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

• The Open Source Security Foundation (OpenSSF) Scorecard

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot bot@stepsecurity.io

[codecov-commenter]

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (b8193a7) 96.44% compared to head (d5f8b9a) 96.44%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1010   +/-   ##
=======================================
  Coverage   96.44%   96.44%           
=======================================
  Files          28       28           
  Lines        2139     2139           
=======================================
  Hits         2063     2063           
  Misses         76       76           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ljharb]

This imo is like pinning deps in package.json; not worth the trouble. We won’t get bugfixes and whatnot automatically by doing this.

[SimenB]

Unless this bot also sends PRs (or some other bot does). Seems very noisy, tho...

[RafaelGSS]

dependabot works with pinned actions too. We're extensively using it already on nodejs/core. See: nodejs/security-wg#1126

[ljharb]

It does indeed, but that makes it very noisy. I don’t think it’s worth it, especially from official Github actions.