As a user of coi I'd like to see that we make the best of efforts to see that the workflows are set up as safe and secure as possible. I'd like to suggest that StepSecurity and Zizmor take part of this repository.
- StepSecurity can protect from certain types of exfiltration by whitelisting hosts. The firewall is applied as the first step in a job, and will then monitor network and process activity. I installed it on a fork, and runs can be seen here. StepSecurity is not limited to firewalling network activity, as the onboarding will also (opt-in) install the OpenSSF scorecard action. This action will go through a repository with as much permissions as it is granted, and then submit SARIF reports to the repository which show up under "Secuity and Quality", with action items.
- Zizmor acts as a linter for workflows to cover common mistakes related to triggers and how github actions are used. It usually takes part as a required check for PRs. I yoinked and adapted a workflow from Grafana. Again, this is another thing that submits SARIF reports to the repository, with actionable items under "Security and Quality". A plain text report can be seen here.
I will gladly help submit PRs, but since they involve workflows I first wanted to present my case and see if it is in scope of an external contribution. StepSecurity is especially gnarly since an admin needs to perform the Github App installation.
As a user of coi I'd like to see that we make the best of efforts to see that the workflows are set up as safe and secure as possible. I'd like to suggest that StepSecurity and Zizmor take part of this repository.
I will gladly help submit PRs, but since they involve workflows I first wanted to present my case and see if it is in scope of an external contribution. StepSecurity is especially gnarly since an admin needs to perform the Github App installation.