Skip to content

[StepSecurity] Apply security best practices #92

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wollomatic merged 1 commit into from
Feb 21, 2026
Merged

[StepSecurity] Apply security best practices #92

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 78 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: ["main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
schedule:
- cron: "0 0 * * 1"

permissions:
contents: read

jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

strategy:
fail-fast: false
matrix:
language: ["go"]
# CodeQL supports [ $supported-codeql-languages ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Comment on lines +48 to +49
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Find all workflow files
fd -e yml -e yaml . .github/workflows/

# Check codeql.yml specifically
echo "=== codeql.yml content ===" 
cat -n .github/workflows/codeql.yml | sed -n '45,55p'

Repository: wollomatic/socket-proxy

Length of output: 721

🏁 Script executed:

# Check docker-image-release.yaml for actions/checkout
echo "=== docker-image-release.yaml ===" 
cat -n .github/workflows/docker-image-release.yaml | grep -A 1 -B 1 "actions/checkout"

# Check docker-image-testing.yaml for actions/checkout
echo "=== docker-image-testing.yaml ===" 
cat -n .github/workflows/docker-image-testing.yaml | grep -A 1 -B 1 "actions/checkout"

Repository: wollomatic/socket-proxy

Length of output: 386

actions/checkout version inconsistency — align across workflows.

The CodeQL workflow pins actions/checkout to v4.3.1 (34e114876b...), whilst both docker workflows (docker-image-release.yaml and docker-image-testing.yaml) use v6.0.2 (de0fac2e45...). Both SHAs have been verified against their respective version tags. Consider aligning these to the same major version across the repository unless there is a deliberate reason to maintain separate versions.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 48 - 49, The CodeQL workflow pins
the GitHub Action "uses:
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5" (v4.3.1) while the
docker workflows use "actions/checkout" at v6.0.2; update the CodeQL workflow's
checkout invocation to the same major/minor version used by the docker workflows
(or vice‑versa if you intend to standardize on v4), replacing the SHA with the
corresponding verified tag/SHA to align versions across workflows and ensure
consistency.


# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3.32.4
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3.32.4

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.

# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@45580472a5bb82c4681c4ac726cfdb60060c2ee1 # v3.32.4
with:
category: "/language:${{matrix.language}}"
27 changes: 27 additions & 0 deletions .github/workflows/dependency-review.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request,
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
# Once installed, if the workflow run is marked as required,
# PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
18 changes: 9 additions & 9 deletions .github/workflows/docker-image-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,15 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run Gosec Security Scanner
uses: securego/gosec@master
uses: securego/gosec@f3e2fac4d58b7eca54307cd40ce2a836a12e4d95 # master
with:
args: ./...

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: '1.25'
Comment on lines +28 to 30
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Go toolchain version mismatch: go-version: '1.25' vs Dockerfile golang:1.26.0.

Same issue as in docker-image-testing.yaml. This is the release workflow — any behavioural difference between the test environment (Go 1.25) and the published artefact (Go 1.26) will not be caught before shipping.

🔧 Proposed fix 
-          go-version: '1.25'
+          go-version: '1.26'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-image-release.yaml around lines 28 - 30, The
workflow uses actions/setup-go with go-version: '1.25' which mismatches the
Dockerfile base image golang:1.26.0; update the actions/setup-go step (the uses:
actions/setup-go block and its go-version field) in the release workflow to
match the Dockerfile (e.g., set go-version: '1.26' or '1.26.0') so the
build/test environment matches the published artifact.


Expand All @@ -37,28 +37,28 @@ jobs:
run: echo "VERSION=${GITHUB_REF#refs/tags/}" >> "$GITHUB_OUTPUT"

- name: Install Cosign
uses: sigstore/cosign-installer@v4.0.0
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
with:
cosign-release: 'v2.6.1'

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push Docker Hub image
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
id: push-dockerhub
with:
context: .
Expand All @@ -76,7 +76,7 @@ jobs:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

- name: Build and push GHCR image
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
id: push-ghcr
with:
context: .
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/docker-image-testing.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,15 +19,15 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v6
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Run Gosec Security Scanner
uses: securego/gosec@master
uses: securego/gosec@f3e2fac4d58b7eca54307cd40ce2a836a12e4d95 # master
with:
args: ./...

- name: Set up Go
uses: actions/setup-go@v6
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: '1.25'
Comment on lines +30 to 32
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Go toolchain version mismatch: workflows test with 1.25, Dockerfile builds with 1.26.0.

Both docker workflows set go-version: '1.25', but the Dockerfile build stage uses golang:1.26.0-alpine3.23. This means CI tests run under a different compiler version than what is used in the actual production Docker build. Any 1.26-specific language behaviour, standard library change, or compile-time difference will not be caught by the test run.

Both should reference the same Go version.

🔧 Proposed fix — align the workflow Go version with the Dockerfile 
-        go-version: '1.25'
+        go-version: '1.26'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: '1.25'
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
with:
go-version: '1.26'
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/docker-image-testing.yaml around lines 30 - 32, The
workflow currently sets actions/setup-go with go-version '1.25' which mismatches
the Dockerfile's golang:1.26.0-alpine3.23; update the workflow's
actions/setup-go go-version to '1.26.0' (or '1.26') so CI uses the same Go
toolchain as the Dockerfile build, and apply the same change to any other
workflows that also use actions/setup-go to keep all CI steps aligned with the
Dockerfile.


Expand All @@ -40,23 +40,23 @@ jobs:
# cosign-release: 'v2.6.0'

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Login to Docker Hub
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and push image to Docker Hub and GHCR
uses: docker/build-push-action@v6
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
id: push-all
with:
context: .
Expand All @@ -70,7 +70,7 @@ jobs:
ghcr.io/wollomatic/socket-proxy:testing-${{ github.sha }}

# - name: Build and push Docker Hub image
# uses: docker/build-push-action@v6
# uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
# id: push-dockerhub
# with:
# context: .
Expand All @@ -88,7 +88,7 @@ jobs:
# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
#
# - name: Build and push GHCR image
# uses: docker/build-push-action@v6
# uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
# id: push-ghcr
# with:
# context: .
Expand Down
14 changes: 14 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.3
hooks:
- id: gitleaks
- repo: https://github.com/golangci/golangci-lint
rev: v1.52.2
hooks:
- id: golangci-lint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
- id: trailing-whitespace
Comment on lines +2 to +14
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

pre-commit framework immutable references SHA vs version tags best practices

💡 Result:

What pre-commit expects in rev

rev is the git revision or tag to clone. pre-commit is designed for repeatable runs and effectively assumes rev is an immutable ref (a release tag or a commit SHA), not a moving branch name. [1][2]

Tags vs commit SHAs (immutability trade-off)

Version tags (recommended default)

  • Pros: readable (vX.Y.Z), aligns with releases, easy to review diffs in changelogs.
  • Works well with pre-commit autoupdate, which by default updates to the latest tag on the default branch. [1][3]
  • Cons: git tags are intended to be stable, but they are not cryptographically immutable—a maintainer (or attacker with access) can retarget a tag.

Commit SHAs (most “immutable”)

  • Pros: strongest practical guarantee that everyone runs exactly the same code, even if a tag is moved.
  • Cons: less readable; you’ll usually want to add a comment like # vX.Y.Z for humans.

What to avoid

  • Branch names / “stable” / “main” / HEAD as rev: this is a mutable ref and breaks the reproducibility model (and can mislead people into thinking it always tracks “latest”). This is explicitly called out as problematic by the pre-commit maintainer and in ecosystem guidance (e.g., Black’s “rev: stable” discussion). [2][4]

Best-practice recommendations

  1. Most teams: pin to release tags (rev: vX.Y.Z) and run pre-commit autoupdate periodically (often via CI or a dependency bot). [1][3]
  2. High-assurance / supply-chain sensitive environments: pin to commit SHAs and update via:
    • pre-commit autoupdate --freeze (stores “frozen” commit hashes instead of tags). [3]
  3. If you truly need unreleased changes: use pre-commit autoupdate --bleeding-edge (tracks the default branch tip by SHA), understanding you’re opting into faster change. [3]

Sources: pre-commit docs on rev and updating hooks [1][3], pre-commit maintainer guidance on immutable refs / no “unpinned latest” [2], and discussion of why mutable refs like stable are unsuitable [4].

[1] https://pre-commit.com/
[2] https://stackoverflow.com/questions/75920424/how-to-ignore-rev-in-pre-commit-config
[3] https://pre-commit.com/#pre-commit-autoupdate
[4] psf/black#420

🌐 Web query:

gitleaks latest version 2025 2026 release

💡 Result:

As of February 21, 2026, the latest upstream Gitleaks release is v8.30.0, published November 26, 2025 on the official GitHub releases page. [1]

2025 upstream releases (high level):

  • v8.24.0Feb 20, 2025 [2]
  • v8.24.3Apr 11, 2025 [2]
  • v8.25.1Apr 30, 2025 [2]
  • v8.26.0May 12, 2025 [2]
  • v8.27.2Jun 9, 2025 [2]
  • v8.28.0Jul 20, 2025 [2]
  • v8.29.1Nov 19, 2025 [1]
  • v8.30.0Nov 26, 2025 (latest) [1]

2026 note: Some distributions shipped/package-updated Gitleaks 8.30.0 in 2026 (e.g., Fedora update dated Jan 4, 2026), but that’s a packaging event—not a newer upstream Gitleaks release. [3]

Sources: [1] GitHub releases (gitleaks/gitleaks), [2] mise versions timeline (aggregates GitHub release dates), [3] Fedora advisory showing 8.30.0 update date.

🌐 Web query:

golangci-lint latest version 2025 2026 release

💡 Result:

  • Latest golangci-lint (as of Feb 21, 2026): v2.10.1 — released Feb 17, 2026. [1]
  • Late-2025 releases: v2.7.2 (Dec 7, 2025) and v2.6.2 (Nov 14, 2025). [2][3]
  • Early-2026 release example (before v2.10.1): v2.9.0 (Feb 10, 2026). [4]

Sources: [1] GitHub releases (v2.10.1), [2] GitHub releases (v2.7.2), [3] GitHub releases (v2.6.2), [4] GitHub releases (v2.9.0).

🌐 Web query:

pre-commit-hooks latest version 2025 2026 release

💡 Result:

As of February 21, 2026, the latest upstream pre-commit-hooks release (the pre-commit/pre-commit-hooks repository / pre-commit-hooks PyPI package) is:

  • v6.0.0, released August 9, 2025 — and it is still the latest (no newer 2026 release is listed). [1], [2]

Sources: GitHub releases page [1] and PyPI release history [2].

🌐 Web query:

gitleaks v8.16.3 release date

💡 Result:

Gitleaks v8.16.3 was released on April 19, 2023. [1][2]

🌐 Web query:

golangci-lint v1.52.2 release date

💡 Result:

golangci-lint v1.52.2 was released on March 25, 2023. [1][2]

🌐 Web query:

pre-commit-hooks v4.4.0 release date

💡 Result:

pre-commit-hooks v4.4.0 was released on November 23, 2022. [1][2]

Update pre-commit hooks to current releases.

All three hooks are pinned to releases from 2022–2023, approximately 2–3 years behind current versions. Notably, both golangci-lint (v1.52.2 → v2.10.1) and pre-commit-hooks (v4.4.0 → v6.0.0) have received major version updates since these versions were released. Consider running pre-commit autoupdate to bring these dependencies to their latest releases.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.pre-commit-config.yaml around lines 2 - 14, The pre-commit config pins
gitleaks, golangci-lint, and pre-commit-hooks to older releases; run `pre-commit
autoupdate` (or manually update the rev fields) to bump them to current releases
so hooks `gitleaks`, `golangci-lint`, and
`end-of-file-fixer`/`trailing-whitespace` use up-to-date versions (e.g., update
`rev` for the repos referenced: gitleaks, golangci-lint, and pre-commit-hooks);
verify the updated hooks still work in CI and adjust any config changes required
by major-version upgrades.

2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# syntax=docker/dockerfile:1
FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine3.23 AS build
FROM --platform=$BUILDPLATFORM golang:1.26.0-alpine3.23@sha256:d4c4845f5d60c6a974c6000ce58ae079328d03ab7f721a0734277e69905473e5 AS build
WORKDIR /application
COPY . ./
ARG TARGETOS
Expand Down