Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(gha): Update and pin "peter-evans/create-pull-request" #11674

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

feat(gha): Update and pin "peter-evans/create-pull-request" #11674

wants to merge 1 commit into from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 27, 2025

Step forward from #11672 already offers.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The GitHub Actions workflow automatically updates sample data using a scheduled or manual trigger, but raises security concerns due to hardcoded credentials, reliance on an external binary, and potential vulnerabilities in the regular update process.

Expand for full summary

Summary:

The provided GitHub Actions workflow is responsible for regularly updating the sample data file dojo/fixtures/defect_dojo_sample_data.json. This workflow runs on a schedule (the first day of January, April, July, and October at midnight UTC) or can be manually triggered. While the workflow serves a routine maintenance purpose, there are a few security considerations that should be addressed.

Firstly, the workflow uses hardcoded values for the GIT_USERNAME and GIT_EMAIL environment variables, which is generally not considered a best practice for storing sensitive information. It would be more secure to store these credentials as GitHub Secrets. Secondly, the workflow relies on an external binary called fixture-updater to update the sample data file. It's essential to ensure that this binary is trusted and does not introduce any security vulnerabilities or malicious code. Finally, the scheduled execution of the workflow means that the sample data will be updated regularly, which could potentially lead to issues if the fixture-updater binary or the update process itself introduces any security vulnerabilities.

Files Changed:

  • .github/workflows/update-sample-data.yml: This file contains the GitHub Actions workflow responsible for updating the dojo/fixtures/defect_dojo_sample_data.json file. The workflow checks out the code, runs the fixture-updater binary to update the sample data file, commits the changes to a new branch, and creates a pull request. The key security considerations are the use of hardcoded credentials, the dependency on an external binary, and the scheduled execution of the workflow.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@mtesauro mtesauro mentioned this pull request Jan 27, 2025
Open
1 task
mtesauro
mtesauro approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@kiblik kiblik requested a review from Maffooch January 28, 2025 15:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

At least 4 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kiblik @cneill @mtesauro @Maffooch