[StepSecurity] Apply security best practices

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @varunsh-coder. Please merge the Pull Request to incorporate the requested changes. Please tag @varunsh-coder on your message if you have any questions related to the PR.

Security Fixes

Pinned Dependencies

GitHub Action tags and Docker tags are mutatble. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

Maintain Code Quality with Pre-Commit

Pre-commit is a framework for managing and maintaining multi-language pre-commit hooks. Hooks can be any scripts, code, or binaries that run at any stage of the git workflow. Pre-commit hooks are useful for enforcing code quality, code formatting, and detecting security vulnerabilities.

• Official Pre-commit documentation
• Getting Started guide

Support for custom workflows

Add custom workflows present inside user's workflow template folder

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

[step-security-bot]

Please find StepSecurity AI-CodeWise code comments inline or below.

.github/workflows/canary.yml

Please refer to 1 inline comments.

.github/workflows/codeql-analysis.yml

Please refer to 3 inline comments.

Feedback

We appreciate your feedback in helping us improve the service! To provide feedback, please use emojis on this comment. If you find a comment helpful, give it a 👍. If they aren't useful, kindly express that with a 👎. If you have questions or detailed feedback, please create n GitHub issue in StepSecurity/AI-CodeWise.

[step-security-bot]

[Medium]Use approved base images in containers

The base image for the canary test container is not specified and may not be approved. Always specify a base image that is approved.

[step-security-bot]

[Medium]Avoid exposing unnecessary permissions in actions

The workflow specifies permissions for contents, actions and security-events, which might be more permissive than necessary. It's recommended to only include the necessary permissions. Only list the necessary permissions in the workflow file. For example, if the workflow file doesn't need to push to the repository, remove the contents permission.

[step-security-bot]

[Low]Remove commented-out code

The workflow file contains commented-out code in the Autobuild step. This can be confusing and should be removed. Remove the commented-out lines.

[step-security-bot]

[Low]Add comments to explain what the workflow does

The workflow file is missing comments explaining what it does. This will help others understand the purpose of the file and the steps in it. Add comments above each step to explain what it does and why it's necessary. Add a comment at the top of the file that explains the purpose of the workflow.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.