[UPDATE] Use latest version for actions in workflow-templates

[shubham-stepsecurity]

@varunsh-coder please review the changes!

[step-security-bot]

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.

[shubham-stepsecurity]

@varunsh-coder I have bumped codeql version as well!

[step-security-bot]

Please find StepSecurity AI-CodeWise code comments below.

Code Comments

testfiles/addworkflow/expected-codeql.yml

• [High]Upgrade CodeQL Action to the latest version
  The version of CodeQL action being used is outdated. Update the CodeQL action in your workflow from v2 to v3.
• [High]Ensure the use of CodeQL action versions are explicitly defined
  The version of CodeQL action being used should be explicitly defined to ensure consistency and to avoid unintended changes when new versions get released. Explicitly define the CodeQL action version used in your workflow.
• [Low]Ensure the use of the latest version of actions/checkout
  Use the latest version of actions/checkout to ensure access to the latest features. Update the actions/checkout to the latest version.

testfiles/addworkflow/expected-dependency-review.yml

• [High]Use specific version of dependencies
  The dependency-review action is being used without specifying a specific version number. This may lead to unexpected changes or security vulnerabilities introduced by newer versions that might not be compatible with the code. Specify the specific version of the dependency, for example: uses: actions/dependency-review-action@v2.3.1
• [High]Avoid using latest version of dependencies explicitly
  The 'latest' tag is used to refer to the most recent version of the dependencies. This may lead to unexpected changes or security vulnerabilities introduced by newer versions that might not be compatible with the code. Specify the specific version of the dependency, for example: uses: actions/checkout@v4.0.1
• [Medium]Limit Checkout to a specific branch
  The checkout action is being used without specifying a specific branch. This may lead to unexpected results if the action is triggered for a branch other than the intended one. Add 'with: ref: <branch_name>' to the checkout step to limit the checkout to a specific branch.
• [Low]Verify the origin of any dependency
  The 'actions' namespace is being used for dependencies, and it's being assumed that the dependencies found there are safe. It's important to validate that the origin of the dependency is correct. Go to Github Marketplace and search for the dependency by its name and read its reviews and see the source code before installing it.

testfiles/addworkflow/expected-scorecards.yml

• [High]Update actions/checkout from v3 to v4
  The action uses an older version that may have security vulnerabilities. Replace 'actions/checkout@v3' with 'actions/checkout@v4' in line 4 of the code patch.
• [High]Update ossf/scorecard-action from v2.0.6 to v2.3.3
  The action uses an older version that may have security vulnerabilities. Replace 'ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d' with 'ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534' in line 8 of the code patch.
• [Medium]Add input check to the results_format parameter to prevent arbitrary shell commands injection
  The results_format parameter is passed to an action without proper input check, which could lead to arbitrary shell commands injection. Replace line 16 of the code patch with 'results_format: sarif
  working-directory: ${{github.workspace}}' to use proper parameter input handling.
• [Medium]Add input check to the persistence-credentials parameter to prevent unauthorized access
  The persist-credentials parameter is set to false without proper input check, which may represent a security risk. Replace line 7 of the code patch with 'persist-credentials: ${{ github.token != '' }}' to use proper parameter input handling.

workflow-templates/codeql.yml

• [High]Upgrade the GitHub actions and tools to the latest version
  The version of the GitHub actions being used might have security vulnerabilities or other critical bugs that could be fixed in the latest versions. Update actions/checkout, codeql-action/init, codeql-action/autobuild, and codeql-action/analyze to their latest versions. The latest version of actions/checkout is v3.1.2, the latest version of codeql-action/init is v4, the latest version of codeql-action/autobuild is v3, and the latest version of codeql-action/analyze is v4.
• [Medium]Use uses with full owner/repo@version references
  Always use the full owner/repo@version format to specify the GitHub action being used. This protects the code from attacks that could occur due to version changes or deprecated APIs. Update the uses field in all the actions, e.g., change actions/checkout@v3 to actions/checkout@v3.1.2.
• [Low]Use double quotes with GitHub action input variables
  GitHub action input variables should always be quoted in double quotes for consistency and to avoid bugs caused by variable interpolation. Replace the single quotes with double quotes for all the input strings in the with field of the codeql-action/init and codeql-action/analyze. For example, uses: github/codeql-action/init@v3 should be updated to uses: github/codeql-action/init@v3.

workflow-templates/dependency-review.yml

• [High]Use specific version instead of range for checkout dependency
  Using a range of versions for the checkout dependency can lead to a potential security vulnerability. If the dependency is updated and a new version has a security issue, it could be included in the range and cause issues. Replace 'v3' with a specific version number for checkout in the 'uses' field. For example, 'v3.3.2'
• [High]Use specific version instead of range for dependency review action
  Using a range of versions for the dependency review action can lead to a potential security vulnerability. If the dependency review action is updated and a new version has a security issue, it could be included in the range and cause issues. Replace 'v2' with a specific version number for the dependency review action in the 'uses' field. For example, 'v2.1.0'
• [Medium]Limit permissions on checkout action
  The checkout action has access to the entire repository. Limiting permissions can reduce the impact of a potential security vulnerability in the action. Add the 'repository_contents' scope to the 'with' field of the checkout action. For example, 'with: {repository_contents: read}'
• [Medium]Limit permissions on dependency review action
  The dependency review action has access to all dependencies. Limiting permissions can reduce the impact of a potential security vulnerability in the action. Add the 'repo' and 'security_events' scopes to the 'with' field of the dependency review action. For example, 'with: {repo: read, security_events: write}'
• [Low]Set specific operating system for runs-on field
  Using the generic 'ubuntu-latest' can lead to potential compatibility issues with the actions being used. Setting the operating system to a specific version can help avoid these issues. Specify the version of Ubuntu to be used in the 'runs-on' field. For example, 'runs-on: ubuntu-20.04'

workflow-templates/scorecards.yml

• [High]Use Action's latest stable version
  The action used to checkout the code and to upload artifact should be updated to latest stable version. Replace actions/checkout@v3 with actions/checkout@v4 and replace actions/upload-artifact@v3 with actions/upload-artifact@v4
• [High]Use ossf/scorecard-action's latest version
  The action used to run analysis should be updated to latest version. Replace ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 with ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
• [Medium]Explicitly set persist-credentials to false
  The 'persist-credentials' input is not set correctly which exposes the repository secrets. Set persist-credentials to false
• [Low]Set a value for retention-days
  The upload-artifact action should have defined a number of days to retain artifacts. Set a value for retention-days input. For example, retention-days: 7 to retain the artifacts for 7 days.

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find the comments helpful, give them a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.