From 39eedd5d49658cbae46a2102ff41420d7d66da04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Victor=20Botelho=20Gon=C3=A7alves?= Date: Tue, 7 Jul 2026 10:36:35 +0100 Subject: [PATCH 1/2] ci: pin action dependencies and update project roadmap (#62) - Pin all GitHub Action versions to exact commit SHAs across build, release, and scorecard workflows to comply with OpenSSF Scorecard 'Pinned-Dependencies'. - Mark Community baseline (Governance, Code of Conduct) and OSSF Best Practices self-certification as complete in README.md and ROADMAP.md. --- .github/workflows/build.yml | 48 +++++++++++++++++---------------- .github/workflows/lint.yml | 2 +- .github/workflows/release.yml | 14 +++++----- .github/workflows/scorecard.yml | 8 +++--- README.md | 6 ++--- docs/ROADMAP.md | 6 ++--- 6 files changed, 44 insertions(+), 40 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7032e95..69d5abe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,6 +17,8 @@ env: BUILD_CONFIG_REL: 'Release' BUILD_CONFIG_DBG: 'Debug' +permissions: read-all + jobs: build-and-test: name: Build & Test (${{ matrix.os }}) @@ -34,15 +36,15 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: submodules: recursive - - name: Setup .NET 10 (Preview) - uses: actions/setup-dotnet@v5 + - name: Setup .NET 10 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: ${{ env.DOTNET_VERSION }} - dotnet-quality: 'preview' + dotnet-quality: 'ga' cache: true cache-dependency-path: | **/*.csproj @@ -74,14 +76,14 @@ jobs: run: dotnet test ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-build --verbosity normal --logger "trx;LogFileName=test-results-${{ matrix.os }}.trx" --blame-hang-timeout 5m --collect:"XPlat Code Coverage" --results-directory ./coverage/${{ matrix.os }} - name: Upload Test Results - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: always() with: name: test-results-${{ matrix.os }} path: '**/test-results-*.trx' - name: Upload coverage to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage/${{ matrix.os }}/**/coverage.cobertura.xml @@ -93,15 +95,15 @@ jobs: needs: build-and-test steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: submodules: recursive - - name: Setup .NET 10 (Preview) - uses: actions/setup-dotnet@v5 + - name: Setup .NET 10 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: ${{ env.DOTNET_VERSION }} - dotnet-quality: 'preview' + dotnet-quality: 'ga' cache: true cache-dependency-path: | **/*.csproj @@ -122,7 +124,7 @@ jobs: run: dotnet pack ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-build --output ./artifacts/packages - name: Upload packages - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: nuget-packages path: | @@ -140,15 +142,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: submodules: recursive - name: Setup .NET 10 - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: ${{ env.DOTNET_VERSION }} - dotnet-quality: 'preview' + dotnet-quality: 'ga' cache: true cache-dependency-path: | **/*.csproj @@ -187,7 +189,7 @@ jobs: run: dotnet format ${{ env.SOLUTION_NAME }} --verify-no-changes --verbosity diagnostic --exclude ./modules --no-restore - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4 with: languages: csharp @@ -195,7 +197,7 @@ jobs: run: dotnet build ${{ env.SOLUTION_NAME }} --configuration ${{ env.BUILD_CONFIG_REL }} --no-restore /p:UseSharedCompilation=false - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4 native-profiler-build: name: Native Profiler Build (MSVC) @@ -208,19 +210,19 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: submodules: recursive - name: Setup MSVC Developer Command Prompt - uses: ilammy/msvc-dev-cmd@v1 + uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1 # CodeQL for the native profiler: this repo's only SAST-covered C++, since # LoadLibraryW-driven chaining, IL rewriting, and raw metadata parsing live here. # build-mode: manual because the actual build happens via the CMake steps below, not an # autodetected build system. - name: Initialize CodeQL (cpp) - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4 with: languages: cpp build-mode: manual @@ -232,12 +234,12 @@ jobs: run: cmake --build src/Rasp.Native.Profiler/build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@fb84f6228fd846d3c392887f22b18ce2d9139495 # v4 with: category: "/language:cpp" - name: Upload built DLL - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: Rasp.Native.Profiler-dll path: src/Rasp.Native.Profiler/build/*.dll @@ -258,10 +260,10 @@ jobs: cmake --build src/Rasp.Native.Profiler/build-release - name: Setup .NET 10 (for live-attach smoke test) - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: ${{ env.DOTNET_VERSION }} - dotnet-quality: 'preview' + dotnet-quality: 'ga' - name: Build live-attach smoke test fixture # -p:Platform=AnyCPU overrides the `Platform=x64` environment variable left behind by diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index b8555a4..81ea84e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5.4.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e367fbd..51808f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,8 @@ on: release: types: [published] +permissions: read-all + jobs: publish: name: Build, Pack & Publish @@ -19,7 +21,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: submodules: recursive fetch-depth: 0 @@ -32,10 +34,10 @@ jobs: fi - name: Setup .NET - uses: actions/setup-dotnet@v5 + uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5 with: dotnet-version: ${{ env.DOTNET_VERSION }} - dotnet-quality: 'preview' + dotnet-quality: 'ga' - name: Restore dependencies run: dotnet restore ${{ env.SOLUTION_NAME }} --locked-mode @@ -62,7 +64,7 @@ jobs: - name: Generate Changelog id: git-cliff - uses: orhun/git-cliff-action@v4 + uses: orhun/git-cliff-action@4725066927d3534d0b138e68cb5a3d0cb2d4fdf5 # v4.1.0 with: config: cliff.toml args: -vv --latest --strip header @@ -74,7 +76,7 @@ jobs: # Requests a short-lived (1h) API key from nuget.org via GitHub OIDC, per the # Trusted Publishing policy configured on nuget.org for this repo/workflow/environment. # Requested right before the push below since the temp key expires in 1h. - uses: NuGet/login@v1 + uses: NuGet/login@e41a967c3b9b46ec6fb59f232c94c921312384a6 # v1.0.1 id: nuget-login with: user: ${{ secrets.NUGET_USER }} @@ -83,7 +85,7 @@ jobs: run: dotnet nuget push "artifacts/packages/*.nupkg" --api-key "${{ steps.nuget-login.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate - name: Update GitHub Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 with: body: ${{ steps.git-cliff.outputs.content }} files: artifacts/packages/* diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 006d534..941a7a3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -27,12 +27,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@v2.4.0 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -45,7 +45,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: SARIF file path: results.sarif @@ -53,6 +53,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@e8e8e51caba890f74f97e228d00b0b81b666ee4c # v3 with: sarif_file: results.sarif diff --git a/README.md b/README.md index f119782..86ea306 100644 --- a/README.md +++ b/README.md @@ -292,7 +292,7 @@ features (Stage 3): a security product nobody can `dotnet add package` is a repo Before submitting: -- [ ] Community baseline: `CODE_OF_CONDUCT.md`, issue templates, `GOVERNANCE.md` still open. +- [x] Community baseline: `CODE_OF_CONDUCT.md`, issue templates, and `GOVERNANCE.md` are complete. [x] `good-first-issue` backlog seeded — [docs/good-first-issues.md](docs/good-first-issues.md) (native profiler taint-propagation targets) and [docs/good-first-issues-dotnet.md](docs/good-first-issues-dotnet.md) (.NET-only gaps). @@ -302,8 +302,8 @@ Before submitting: (not all from the same employer), so this gates the application itself. [@EderBorella](https://github.com/EderBorella) joined as collaborator and required reviewer on the `release` environment; bus factor is now 2. -- [ ] Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification — - a Lab-promotion criterion that is cheap to begin early. +- [x] Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification — + a Lab-promotion criterion that costs little to begin early. - [ ] Draft the OWASP project-page content (`index.md`, description, roadmap) in advance — the `www-project-rasp-net` repo itself is provisioned by the OWASP Foundation under `github.com/OWASP` only **after** acceptance; having content ready means the page goes diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md index 2c22bcf..fe7ade2 100644 --- a/docs/ROADMAP.md +++ b/docs/ROADMAP.md @@ -92,8 +92,8 @@ comes before new detection features (Stage 3)** — a security product nobody ca ### Before submitting -- [ ] **Community baseline:** `CODE_OF_CONDUCT.md`, issue/PR templates, `GOVERNANCE.md`, and a - `good-first-issue` backlog. Taint-propagation targets (each additional `string` method to +- [x] **Community baseline:** `CODE_OF_CONDUCT.md`, issue/PR templates, and `GOVERNANCE.md` are complete. + A `good-first-issue` backlog is seeded. Taint-propagation targets (each additional `string` method to instrument) are ideal starter issues — small, well-scoped, with an existing pattern to copy. - [ ] **Isolate the intentionally-vulnerable demo target** (`modules/`) so its known-vulnerable packages are never mistaken for product dependencies — clear labeling, separate solution @@ -101,7 +101,7 @@ comes before new detection features (Stage 3)** — a security product nobody ca - [x] **Recruit a second project leader.** Current OWASP policy requires multiple leaders (not all from the same employer), and all leaders need admin on the repository — this gates the application itself, it is not a post-acceptance nicety. -- [ ] **Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification.** +- [x] **Start the [OSSF Best Practices](https://www.bestpractices.dev/) self-certification.** A Lab-promotion criterion that costs little to begin early — it is a questionnaire, and most of the answers (license, tests, SECURITY.md, release discipline) already exist. - [ ] **Draft the OWASP project-page content** (`index.md`, description, roadmap) in advance. From 4206ff111adfb1d3a798e323798d6be4d04e0324 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Victor=20Botelho=20Gon=C3=A7alves?= Date: Tue, 7 Jul 2026 13:01:16 +0100 Subject: [PATCH 2/2] chore: merge pull request #47 from JVBotelho/develop (#64)