diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 2315798..4ab137d 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -11,7 +11,7 @@ jobs: pull-requests: read steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: disable-sudo: true egress-policy: block diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 82a059c..e39b798 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -37,15 +37,15 @@ jobs: # Learn more about CodeQL language support at https://git.io/codeql-language-support steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - name: Checkout repository - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5 + uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index d1813ba..f7f3fbe 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml index 3a05f81..b886fd9 100644 --- a/.github/workflows/int.yml +++ b/.github/workflows/int.yml @@ -11,27 +11,30 @@ env: GOPRIVATE: github.com/step-security jobs: integration-test: + if: github.event.repository.fork == false permissions: contents: read runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@v2 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: egress-policy: audit - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc - + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc + - name: Create go vendor dir run: | go mod vendor @@ -39,7 +42,7 @@ jobs: - run: sudo go test -v - run: go build -ldflags="-s -w" -o ./agent - name: Configure aws credentials - uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fec7a51..9b1d275 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,11 +10,12 @@ env: GOPRIVATE: github.com/step-security jobs: release: + if: github.event.repository.fork == false permissions: contents: write runs-on: ubuntu-22.04 steps: - - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 + - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1 with: allowed-endpoints: api.github.com:443 @@ -25,18 +26,20 @@ jobs: storage.googleapis.com:443 uploads.github.com:443 - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc - name: Create go vendor dir @@ -44,7 +47,7 @@ jobs: go mod vendor - - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2 + - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0 with: distribution: goreleaser version: latest diff --git a/.github/workflows/scorecard-analysis.yml b/.github/workflows/scorecard-analysis.yml index 4bcb2ce..1feb570 100644 --- a/.github/workflows/scorecard-analysis.yml +++ b/.github/workflows/scorecard-analysis.yml @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26 + uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15 with: sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 542388e..2b24528 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,23 +12,26 @@ env: jobs: test: + if: github.event.repository.fork == false permissions: contents: read runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go - uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4 + uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 with: go-version: 1.24.1 - name: Configure .netrc + env: + PAT: ${{ secrets.PAT }} run: | if [[ ! -e "~/.netrc" ]]; then touch ~/.netrc fi - printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc + printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc - name: Create go vendor dir run: | @@ -36,4 +39,4 @@ jobs: - name: Run coverage run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic - - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865 + - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2 diff --git a/config.go b/config.go index d63f1b3..f451ec2 100644 --- a/config.go +++ b/config.go @@ -2,7 +2,7 @@ package main import ( "encoding/json" - "io/ioutil" + "os" "strconv" "strings" @@ -50,7 +50,7 @@ type configFile struct { // init reads the config file for the agent and initializes config settings func (c *config) init(configFilePath string) error { var configFile configFile - data, err := ioutil.ReadFile(configFilePath) + data, err := os.ReadFile(configFilePath) if err != nil { return errors.Wrap(err, "failed to read config file") } diff --git a/dnsconfig.go b/dnsconfig.go index 1c48c74..0de47aa 100644 --- a/dnsconfig.go +++ b/dnsconfig.go @@ -4,7 +4,6 @@ import ( "encoding/json" "fmt" "io" - "io/ioutil" "os" "os/exec" "path" @@ -30,7 +29,7 @@ const ( func updateDockerConfig(configPath string) error { - data, err := ioutil.ReadFile(configPath) + data, err := os.ReadFile(configPath) if err != nil && !errors.Is(err, os.ErrNotExist) { return errors.Wrap(err, "failed to read config file") } diff --git a/dnsconfig_test.go b/dnsconfig_test.go index fa134db..929cbbc 100644 --- a/dnsconfig_test.go +++ b/dnsconfig_test.go @@ -1,7 +1,6 @@ package main import ( - "io/ioutil" "log" "os" "path" @@ -10,7 +9,7 @@ import ( ) func createTempFileWithContents(content string) string { - file, err := ioutil.TempFile("", "*.json") + file, err := os.CreateTemp("", "*.json") if err != nil { log.Fatal(err) } @@ -28,7 +27,7 @@ func Test_updateDockerConfig(t *testing.T) { configPath string } tmpFileName := createTempFileWithContents("{ \"cgroup-parent\": \"/actions_job\"}") - mockDockerConfigPath, err := ioutil.TempDir("", "") + mockDockerConfigPath, err := os.MkdirTemp("", "") if err != nil { log.Fatal(err) } @@ -54,7 +53,7 @@ func Test_updateDockerConfig(t *testing.T) { if err := updateDockerConfig(tt.args.configPath); (err != nil) != tt.wantErr { t.Errorf("updateDockerConfig() error = %v, wantErr %v", err, tt.wantErr) } - content, err := ioutil.ReadFile(tt.args.configPath) + content, err := os.ReadFile(tt.args.configPath) if err != nil { log.Fatal(err) } @@ -87,7 +86,7 @@ func Test_writeResolveConfig(t *testing.T) { if err := writeResolveConfig(tt.args.configPath); (err != nil) != tt.wantErr { t.Errorf("writeResolveConfig() error = %v, wantErr %v", err, tt.wantErr) } - content, err := ioutil.ReadFile(tt.args.configPath) + content, err := os.ReadFile(tt.args.configPath) if err != nil { log.Fatal(err) } diff --git a/dnsproxy.go b/dnsproxy.go index 87d5a38..4e38057 100644 --- a/dnsproxy.go +++ b/dnsproxy.go @@ -3,7 +3,7 @@ package main import ( "encoding/json" "fmt" - "io/ioutil" + "io" "math" "net/http" "strings" @@ -141,7 +141,7 @@ func (proxy *DNSProxy) ResolveDomain(domain string) (*Answer, error) { defer resp.Body.Close() - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, fmt.Errorf("error in response from dns.google %v", err) diff --git a/eventhandler.go b/eventhandler.go index 85bb864..8ab4aaf 100644 --- a/eventhandler.go +++ b/eventhandler.go @@ -5,7 +5,6 @@ import ( "crypto/sha256" "fmt" "io" - "io/ioutil" "net" "os" "path" @@ -153,7 +152,7 @@ func printContainerInfo(pid, ppid string) { } cgroupPath := fmt.Sprintf("/proc/%s/cgroup", pid) - content, err := ioutil.ReadFile(cgroupPath) + content, err := os.ReadFile(cgroupPath) if err != nil { WriteLog(fmt.Sprintf("cgroup not found %v", err)) } else { @@ -213,7 +212,7 @@ func (eventHandler *EventHandler) HandleEvent(event *Event) { } func GetContainerIdByPid(cgroupPath string) string { - content, err := ioutil.ReadFile(cgroupPath) + content, err := os.ReadFile(cgroupPath) if err != nil { // WriteLog(fmt.Sprintf("error reading cgrouppath: %s : %v", cgroupPath, err)) return "" diff --git a/procmon_linux.go b/procmon_linux.go index 297782b..41973b8 100644 --- a/procmon_linux.go +++ b/procmon_linux.go @@ -6,7 +6,6 @@ package main import ( "fmt" - "io/ioutil" "os" "strings" @@ -177,7 +176,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error { func getParentProcessId(pid string) (int, error) { statPath := fmt.Sprintf("/proc/%s/stat", pid) - dataBytes, err := ioutil.ReadFile(statPath) + dataBytes, err := os.ReadFile(statPath) if err != nil { return -1, err }