Harden GitHub Actions Workflow - codeql.yml

[stepsecurity-app]

Summary

This issue is created by StepSecurity related to security issues in codeql.yml . The platform has identified 2 vulnerabilities (1 critical, 0 high, 0 medium, 1 low).

Remediation Overview

The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-app pull-request create on this issue.

If you’d like an automated pull request with the fixed workflow file, comment:

@stepsecurity-app pull-request create

Other issues require manual investigation and changes.

Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.

Please review the individual vulnerability section below and follow the recommended resolution steps.

Security Checks Details

❌ Network and runtime security monitoring should be enabled for GitHub-hosted runners

• Severity: Low

• Description: This check passes if the step-security/harden-runner GitHub Action is used in a job that runs on a GitHub-hosted runner. Harden-Runner prevents exfiltration of code and CI/CD credentials, and detects tampering of files during build.

• Resolution: Add the step-security/harden-runner GitHub Action to the job.

• Automated Remediation Available ?: true

• References:

  • GitHub Security Guide

  • The Open Source Security Foundation (OpenSSF) Security Guide

❌ Actions should be pinned to a full-length commit SHA

• Severity: Critical

• Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• Resolution: Pin Actions to a full-length commit SHA..

• Automated Remediation Available ?: true

• References:

  • GitHub Security Guide

  • The Open Source Security Foundation (OpenSSF) Security Guide

Suggested Fix For Auto-Remediable Issues

Below is the updated workflow, which fixes the following security vulnerabilities:

• Network and runtime security monitoring should be enabled for GitHub-hosted runners

• Actions should be pinned to a full-length commit SHA

  name: "CodeQL Advanced"
  on:
    push:
      branches: [ "master" ]
    pull_request:
      branches: [ "master" ]
    schedule:
      - cron: '32 2 * * 1'
  jobs:
    analyze:
      name: Analyze (${{ matrix.language }})
      runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
      permissions:
        security-events: write
        packages: read
        actions: read
        contents: read
      strategy:
        fail-fast: false
        matrix:
          language: ['python']
      steps:
      - name: 
+ Harden the runner (Audit all outbound calls)
+       uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+       with:
+         egress-policy: audit
+     - name: 
  Checkout repository
        uses: actions/checkout@
+ 08eba0b27e820071cde6df949e0beb9ba4906955 # 
  v4
+ .3.0
      - name: Setup Python
        if: matrix.language == 'python'
        uses: actions/setup-python@
+ 7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # 
  v4
+ .9.1
        with:
          python-version: '3.x'
      - name: Initialize CodeQL
        uses: github/codeql-action/init@
+ d198d2fabf39a7f36b5ce57ce70d4942944f006e # 
  v3
+ .31.0
        with:
          languages: ${{ matrix.language }}
      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@
+ d198d2fabf39a7f36b5ce57ce70d4942944f006e # 
  v3
+ .31.0
        with:
          category: "/language:${{matrix.language}}"

Additional Information

For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.

Automated remediation commands and options

• Create a pull request with automated security fixes

@stepsecurity-app pull-request create

• Close this issue and prevent it from being reopened

@stepsecurity-app issue close <REASON>

• Update issue description with latest security check status

@stepsecurity-app issue force-update

• View all available commands and their usage

@stepsecurity-app help

Which GitHub Actions security best practices were evaluated?

The workflow was evaluated for the following GitHub Actions security best practices:

• Network & runtime security monitoring
• Token permissions
• Third‐party GitHub Actions usage & pinning

[github-actions]

该 GitHub Issue 概述了在 codeql.yml 工作流中存在的两个安全漏洞（1 个严重漏洞和 1 个低风险漏洞），并提供了解决方案建议。主要问题是未启用 GitHub 托管运行器的网络和运行时安全监控（低风险）以及操作未固定到完整提交 SHA（严重风险）。StepSecurity 工具提供了自动修复补丁，通过添加 step-security/harden-runner 操作以及将相关操作固定到完整的提交 SHA 来解决问题。用户可以手动应用补丁，或通过评论“@stepsecurity-app pull-request create”生成自动修复的 Pull Request。详细说明了修复步骤并提供了参考链接。