Skip to content
This repository was archived by the owner on Feb 1, 2025. It is now read-only.

security: analyze dependencies for malicious behavior#546

Open
varunsh-coder wants to merge 3 commits intofacebook:mainfrom
varunsh-coder:varunsh-coder-patch-1
Open

security: analyze dependencies for malicious behavior#546
varunsh-coder wants to merge 3 commits intofacebook:mainfrom
varunsh-coder:varunsh-coder-patch-1

Conversation

@varunsh-coder
Copy link
Contributor

@varunsh-coder varunsh-coder commented Mar 3, 2022

This PR

  1. Adds harden-runner GitHub Action to the workflow.
  2. Sets the token permission for the workflow to contents: read. This is a security best practice and gets you are higher Scorecard score. Your package currently has score of 5.7 out of 10
  3. Updates the branch in the workflow to main. It was set to master earlier, so the workflow was not running.

harden-runner GitHub Action detects hijacked dependencies and compromised build tools. It correlates outbound traffic with each step of the workflow so you can see what processes are calling what endpoints. This is the analysis when run on a fork: https://app.stepsecurity.io/github/varunsh-coder/regenerator/actions/runs/1928466475

You can restrict traffic to the allowed endpoints for future runs which will block calls that compromised dependencies typically make, and an annotation will be shown in such cases. You do not need to grant any permission or install any App to use this, and the action (and agent the action uses) are open source.

Information on how harden-runner could have detected past package hijacks can be found here: https://github.com/step-security/supply-chain-goat. Do share feedback to improve the harden-runner GitHub Action developer experience. Thanks!

@facebook-github-bot
Copy link

facebook-github-bot commented Mar 3, 2022

Hi @varunsh-coder!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@fb.com. Thanks!

@facebook-github-bot
Copy link

facebook-github-bot commented Mar 3, 2022

Thank you for signing our Contributor License Agreement. We can now accept your code for this (and any) Meta Open Source project. Thanks!

benjamn pushed a commit that referenced this pull request Oct 13, 2022
@varunsh-coder @benjamn
Update GitHub Actions branch to main.
d9c7095 
Cherry-picked from #546.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@varunsh-coder @facebook-github-bot