StepSecurity's Catalog of Fixes

Introduction

In today's fast-paced world of software development, ensuring that code is secure from vulnerabilities and potential attacks is paramount. Developers want to adhere to security best practices, but it can be time-consuming and overwhelming.  

‍

This is where StepSecurity comes in – a revolutionary platform automating security best practices from documentation, ultimately saving developers time and effort.  

StepSecurity maintains an open-source project called SecureRepo, which houses a catalog of fixes. The hosted version, available at https://app.stepsecurity.io/securerepo, allows developers to seamlessly create pull requests to apply security best practices to their public repositories without App installation or prior onboarding steps.  

To date, maintainers from over 280 repositories, including prominent organizations like Google, Microsoft, Eclipse Foundation, Ruby, and Apache, have utilized this solution to create pull requests in their public repositories.

In this blog post, we will delve into the catalog of fixes that StepSecurity has built and provide examples of pull requests for each fix type.

The StepSecurity Catalog of Fixes

StepSecurity has curated a catalog of fixes that cover a wide range of security best practices suggested by the OpenSSF Scorecard and the GitHub Actions Hardening Guide. These fixes are designed to be applied automatically, enabling developers to focus on their core tasks while ensuring their code remains secure. The catalog includes the following fixes (with an example for each of the fixes).

1. Automatically set minimum GITHUB_TOKEN permissions‍

StepSecurity generates a pull request to automatically configure the minimum required permissions for the GITHUB_TOKEN, ensuring that it has only the necessary access to perform its tasks.

Pull Request: ruby/ruby

‍2. Add Harden-Runner GitHub Action to each job‍

StepSecurity creates a pull request to add the Harden-Runner GitHub Action to each job. Harden Runner blocks egress traffic & detects code overwrite to prevent breaches.

Pull Request: GoogleCloudPlatform/functions-framework-dotnet  

‍3. Pin Actions to a full-length commit SHA‍

To prevent supply chain attacks, StepSecurity generates a pull request to pin GitHub Actions to a full-length commit SHA, ensuring that only the expected Action version is used.

Pull Request: electron/electron

‍4. Pin image tags to digests in Dockerfiles‍

StepSecurity creates a pull request to pin image tags to digests in Dockerfiles, ensuring that only the expected base image version is used during the build process.

Pull Request: fleetdm/fleet

‍5. Add or update Dependabot configuration‍

StepSecurity generates a pull request to add or update the Dependabot configuration, enabling automated dependency management and security updates for the project.

Pull Request: muir/libschema

‍6. Add CodeQL workflow (SAST)‍

StepSecurity creates a pull request to add the CodeQL workflow, providing static application security testing (SAST) to identify potential security vulnerabilities in the code.

Pull Request: rubygems/rubygems.org

‍7. Add Dependency review workflow‍

StepSecurity generates a pull request to add a Dependency review workflow, which analyzes the project's dependencies for known vulnerabilities.

Pull Request: google/jni-bind

8. Add OpenSSF Scorecard workflow‍

StepSecurity creates a pull request to add the OpenSSF Scorecard workflow, which automatically assesses the project's security posture using a set of security best practices and provides a score.

Pull Request: microsoft/CLRInstrumentationEngine

‍

Upcoming Fixes

In addition to the current catalog of fixes, StepSecurity is constantly working to enhance our offerings and further support developers in adhering to security best practices. The following fixes are in the pipeline:

1. Generate a CODEOWNERS file for the project

StepSecurity will introduce a fix to generate a CODEOWNERS file for the project automatically. This helps establish clear ownership and responsibility for different parts of the codebase, ensuring that the right team members review and approve changes.

2. Use OIDC for GitHub Actions publishing workflows

To enhance the security of publishing workflows, StepSecurity plans to add a fix that uses OpenID Connect (OIDC) for authentication and authorization in GitHub Actions, providing a more secure and standardized approach to managing access.

3. Update workflows to generate Software Bill of Materials (SBOM)

StepSecurity is working on a fix to update workflows to automatically generate a Software Bill of Materials (SBOM), which is a comprehensive record of all components and dependencies in the project.  

4. Add pre-commit hooks to catch linting issues and prevent credential leaks

StepSecurity plans to introduce a fix to add pre-commit hooks to projects, enabling developers to catch linting issues before they reach the continuous integration (CI) stage. More importantly, this fix will run a secret scanner as a pre-commit hook, helping prevent sensitive credentials from being accidentally committed to the repository.

5. Set a non-root user in Dockerfiles

To improve container security, StepSecurity is working on a fix to automatically set a non-root user in Dockerfiles, reducing the potential attack surface and mitigating the risks associated with running containers as the root user.

If you have feedback on these upcoming fixes, please comment on the issues in the secure-repo GitHub repository.  

‍

Conclusion

StepSecurity is revolutionizing the way developers implement security best practices in their code. By offering SecureRepo as an open-source project and providing a catalog of fixes, developers can save time and effort while ensuring their code remains secure. If you own public GitHub code repositories, try https://app.stepsecurity.io/securerepo to improve security via automated pull requests in seconds. If you want to try this for your private repositories, contact info@stepsecurity.io or book a demo using our website.  

‍