Add security improvements (#181)

* Add OSSF Scorecard (#179)

* Create scorecard.yml

* Add badge

* disable publishing

* [StepSecurity] Apply security best practices (#180)

* [StepSecurity] Apply security best practices

Signed-off-by: StepSecurity Bot <[email protected]>

* Update .pre-commit-config.yaml

* Update dependabot.yml

* Delete .github/workflows/dependency-review.yml

---------

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Matthias Mair <[email protected]>

---------

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: StepSecurity Bot <[email protected]>

.github/dependabot.yml

@@ -0,0 +1,36 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /docker
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /docs
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: npm
+    directory: /src/frontend
+    schedule:
+      interval: daily

.github/workflows/docker.yaml

@@ -24,8 +24,14 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   paths-filter:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: Filter
     runs-on: ubuntu-latest
 

.github/workflows/qc_checks.yaml

@@ -112,7 +112,7 @@ jobs:
           pip install -r docs/requirements.txt
           python docs/ci/check_mkdocs_config.py
       - name: Check Links
-        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1
         with:
           folder-path: docs
           config-file: docs/mlc_config.json
@@ -187,20 +187,20 @@ jobs:
               version: ${{ needs.schema.outputs.version }}
 
             steps:
-              - uses: actions/checkout@v4
+              - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
                 with:
                     repository: inventree/schema
                     token: ${{ secrets.SCHEMA_PAT }}
               - name: Download schema artifact
-                uses: actions/download-artifact@v3
+                uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
                 with:
                   name: schema.yml
               - name: Move schema to correct location
                 run: |
                   echo "Version: $version"
                   mkdir export/${version}
                   mv schema.yml export/${version}/api.yaml
-              - uses: stefanzweifel/git-auto-commit-action@v5
+              - uses: stefanzweifel/git-auto-commit-action@8756aa072ef5b4a080af5dc8fef36c5d586e521d # v5.0.0
                 with:
                   commit_message: "Update API schema for ${version}"
 

.github/workflows/stale.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: '24 11 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   stale:
 

.pre-commit-config.yaml

@@ -71,3 +71,11 @@ repos:
       - "@typescript-eslint/eslint-plugin@latest"
       - "@typescript-eslint/parser"
     files: ^src/frontend/.*\.(js|jsx|ts|tsx)$
+-   repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.3
+    hooks:
+    -   id: gitleaks
+-   repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0
+    hooks:
+    -   id: shellcheck