From a038b7b01645b7f9f83eb88cd1b12a0748234893 Mon Sep 17 00:00:00 2001
From: vasu1124 <vasu1124@actvirtual.com>
Date: Thu, 14 Mar 2024 18:39:54 +0100
Subject: [PATCH] apply security best practices

---
 .github/dependabot.yml          | 16 +++++++
 .github/workflows/build.yml     |  6 ++-
 .github/workflows/codeql.yml    |  8 ++++
 .github/workflows/reuse.yml     |  8 ++++
 .github/workflows/scorecard.yml | 75 ++++++++++++++++++---------------
 Dockerfile                      |  2 +-
 pkg/operator/useless/Dockerfile |  2 +-
 7 files changed, 79 insertions(+), 38 deletions(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..109ccb36
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly
+
+  - package-ecosystem: gomod
+    directory: /
+    schedule:
+      interval: monthly
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9d6e68c6..11515e25 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -37,9 +37,13 @@ jobs:
       # DOCKER_TARGET_PLATFORM: linux/amd64,linux/arm/v7
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
 
     - name: Check out cache
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: |
           ~/go/pkg/mod
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index a75c0531..45cfc26b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -20,6 +20,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -48,6 +51,11 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v4
 
diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml
index 4e39574e..49d58b0e 100644
--- a/.github/workflows/reuse.yml
+++ b/.github/workflows/reuse.yml
@@ -8,6 +8,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reuse:
     name: reuse
@@ -18,6 +21,11 @@ jobs:
       security-events: write
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@v4
 
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 93e13605..7f9d8075 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,42 +32,47 @@ jobs:
       # actions: read
 
     steps:
-      - name: "Checkout code"
-        uses: actions/checkout@v4
-        with:
-          persist-credentials: false
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
 
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.3.1
-        with:
-          results_file: results.sarif
-          results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+    - name: "Checkout code"
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
-          publish_results: true
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+        # - you want to enable the Branch-Protection check on a *public* repository, or
+        # - you are installing Scorecard on a *private* repository
+        # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+        # repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@v4.3.1
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
+        # Public repositories:
+        #   - Publish results to OpenSSF REST API for easy access by consumers
+        #   - Allows the repository to include the Scorecard badge.
+        #   - See https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories:
+        #   - `publish_results` will always be set to `false`, regardless
+        #     of the value entered here.
+        publish_results: true
 
-      # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3.24.7
-        with:
-          sarif_file: results.sarif
+    # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+    # format to the repository Actions tab.
+    - name: "Upload artifact"
+      uses: actions/upload-artifact@v4.3.1
+      with:
+        name: SARIF file
+        path: results.sarif
+        retention-days: 5
+
+    # Upload the results to GitHub's code scanning dashboard.
+    - name: "Upload to code-scanning"
+      uses: github/codeql-action/upload-sarif@v3.24.7
+      with:
+        sarif_file: results.sarif
diff --git a/Dockerfile b/Dockerfile
index f0cd72ad..317d8ae6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-FROM golang:1.21-alpine as builder
+FROM golang:1.22-alpine as builder
 ARG gitVersion=0.0.0-dev
 ARG gitCommit=0000000000000000000000000000000000000000
 ARG gitTreeState="dirty"
diff --git a/pkg/operator/useless/Dockerfile b/pkg/operator/useless/Dockerfile
index 7ba3c597..a9c51f0d 100644
--- a/pkg/operator/useless/Dockerfile
+++ b/pkg/operator/useless/Dockerfile
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 
 # Build the manager binary
-FROM golang:1.21 as builder
+FROM golang:1.22 as builder
 ARG TARGETOS
 ARG TARGETARCH