build: permissions monitoring

[ramirezj]

Summary by CodeRabbit

• New Features

  • Added a manual execution trigger for the Scorecard workflow.
  • Introduced a new badge for the OpenSSF Scorecard in the README, providing a quick security assessment.

• Bug Fixes

  • Updated permissions structure across workflows to ensure correct access levels and enhance security.

• Documentation

  • Enhanced README documentation with a badge linking to the OpenSSF Scorecard viewer.

[coderabbitai]

Walkthrough

The pull request introduces modifications to three GitHub Actions workflow files, enhancing security measures and updating permissions. Key changes include the addition of a workflow_dispatch trigger in .github/workflows/scorecard.yml, adjustments to permissions in the analysis job, and updates to the "Harden Runner" step. The .github/workflows/speculative-plan.yaml file sees changes to job permissions and the introduction of a new environment variable in the trivy job. Additionally, a badge for the OpenSSF Scorecard is added to the README.md file.

Changes

File Path	Change Summary
.github/workflows/scorecard.yml	- Added workflow_dispatch trigger. - Updated permissions in job analysis. - Added disable-sudo: true in "Harden Runner" step. - Changed egress-policy to block in "Harden Runner" step. - Added allowed-endpoints in "Harden Runner" step.
.github/workflows/speculative-plan.yaml	- Updated permissions from contents: read to {}. - Defined security-events: write in trivy job. - Added trivy_sarif environment variable for SARIF results output path. - Updated persist-credentials: false in validate, tflint, and terraform-cloud-speculative-run jobs.
.github/workflows/dependency-review.yml	- Added persist-credentials: false in the Checkout Repository step.
README.md	- Added OpenSSF Scorecard badge linking to the Scorecard viewer.

Possibly related PRs

• fix: repoint Trivy to use ECR mirror #273: The changes in the speculative-plan.yaml file regarding the permissions structure and the trivy job's permissions for security-events: write are related to the main PR's updates to job permissions in the scorecard.yml file, indicating a focus on security event handling in GitHub Actions workflows.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between e313762 and ae09933.

📒 Files selected for processing (4)

• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/scorecard.yml (2 hunks)
• .github/workflows/speculative-plan.yaml (5 hunks)
• README.md (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• README.md

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/speculative-plan.yaml

🔇 Additional comments (4)

.github/workflows/dependency-review.yml (1)

26-27: Excellent security enhancement!

Setting persist-credentials: false is a good security practice that prevents the persistence of GitHub token credentials, thereby reducing the potential attack surface. This change aligns well with the principle of least privilege.

.github/workflows/scorecard.yml (3)

8-10: Excellent security improvements to workflow permissions!

The addition of workflow_dispatch provides needed flexibility, whilst the empty permissions object (permissions: {}) follows the principle of least privilege by requiring explicit permission grants. This is a robust security practice.

---

Line range hint 16-20: Well-structured minimal permissions configuration!

The explicit permission grants are properly scoped with clear documentation explaining their necessity. This follows security best practices by providing only the required access levels:

• contents: read for repository access
• security-events: write for uploading scan results
• id-token: write for publishing results and badge generation

---

26-39: Robust security hardening with comprehensive egress controls!

Excellent security improvements:

• Disabled sudo access prevents privilege escalation
• Blocking egress with explicit allowlist follows zero-trust principles
• All endpoints use secure HTTPS (port 443)

Let's verify these endpoints are sufficient for the workflow:

✅ Verification successful

The allowed endpoints list appears complete and secure

The verification shows that the workflow file only contains documentation URLs in comments, with no additional endpoints required for the actual execution. The allowed endpoints list covers all essential services needed for the Scorecard Action:

• GitHub API and web services
• Security-related APIs (deps.dev, osv.dev, scorecard.dev)
• Sigstore services for signing (fulcio, rekor, tuf-repo)
• OpenSSF services (bestpractices.dev)
• Google Storage for OSS-Fuzz logs

The hardening configuration with disabled sudo and blocked egress is properly implemented with a comprehensive allowlist.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the workflow doesn't require additional endpoints

# Test: Search for any URLs or domains in the scorecard-action repository
# that might need to be added to allowed-endpoints
gh api repos/ossf/scorecard-action/contents/action.yml --raw | grep -E "https?://[^[:space:]/]+" || true

Length of output: 1469

---

Script:

#!/bin/bash
# Let's try a different approach to verify the endpoints
# 1. Check the workflow file itself for any URLs
rg -i "https?://[^\s/]+" .github/workflows/scorecard.yml

# 2. Check if there are any other workflow files that might give us insights
fd "\.ya?ml$" .github/workflows/ --exec cat {} \; | rg -i "https?://[^\s/]+"

# 3. Look for any configuration files that might contain URLs
fd "config|\.ya?ml$" . --exclude .github/workflows | rg -i "https?://[^\s/]+"

Length of output: 771

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (3)

.github/workflows/dependency-review.yml (1)

19-19: Document the purpose of the permissions monitoring step.

Consider adding a comment above this step to explain its purpose and benefits, maintaining consistency with the well-documented nature of this workflow file.

Add documentation like this:

+      # Monitor GitHub Actions permissions to enhance security
       - uses: GitHubSecurityLab/actions-permissions/monitor@v1

.github/workflows/scorecard.yml (1)

21-21: Consider pinning to a specific commit SHA

For enhanced security and reproducibility, consider pinning the action to a full commit SHA instead of using the version tag @v1. This aligns with the practice used for other actions in this workflow.

Example:

-      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      - uses: GitHubSecurityLab/actions-permissions/monitor@<full-commit-sha>

.github/workflows/speculative-plan.yaml (1)

Line range hint 117-121: Consider reducing permissions scope.

The issues:write permission appears unnecessary as creating PR comments only requires pull-requests:write. Consider removing it to align with the principle of least privilege.

Apply this change:

    permissions:
      contents: read
      pull-requests: write
-     issues: write

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between 67b6544 and c31b38e.

📒 Files selected for processing (3)

• .github/workflows/dependency-review.yml (1 hunks)
• .github/workflows/scorecard.yml (1 hunks)
• .github/workflows/speculative-plan.yaml (4 hunks)

🔇 Additional comments (6)

.github/workflows/scorecard.yml (2)

21-22: Excellent addition of permissions monitoring!

This step enhances security by monitoring permissions throughout the workflow execution, complementing the existing security measures like runner hardening and least-privilege permissions model.

---

21-22: Verify consistent implementation across workflows

Let's ensure the permissions monitoring step is consistently implemented across all mentioned workflows.

✅ Verification successful

Permissions monitoring is consistently implemented

The GitHubSecurityLab permissions monitoring action is consistently implemented across all workflows:

• All instances use the same version @v1
• Found in all three workflows: dependency-review.yml, scorecard.yml, and speculative-plan.yaml
• Properly positioned before the Harden Runner step in each workflow

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for consistent implementation of permissions monitoring across workflows

echo "Checking for permissions monitoring implementation in workflows..."
rg -l "GitHubSecurityLab/actions-permissions/monitor" .github/workflows/

Length of output: 327

---

Script:

#!/bin/bash
# Check the specific version and implementation details of the permissions monitoring step
echo "Checking implementation details across workflows..."
rg -A 2 "GitHubSecurityLab/actions-permissions/monitor" .github/workflows/

Length of output: 1542

.github/workflows/speculative-plan.yaml (4)

47-48: Same version pinning issue as above.

The monitoring action needs to be pinned to a specific SHA.

---

Line range hint 76-78: Appropriate permission scope for SARIF uploads.

The security-events: write permission is correctly scoped for uploading Trivy results to the code-scanning dashboard.

---

89-90: Same version pinning issue as above.

The monitoring action needs to be pinned to a specific SHA.

---

133-134: Same version pinning issue as above.

The monitoring action needs to be pinned to a specific SHA.

[github-actions]

Terraform Cloud Plan Output

Plan: 0 to add, 0 to change, 0 to destroy.
Terraform Cloud Plan

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud