fix: address OpenSSF Scorecard code-scanning alerts

motxx · claude · motxx · commit 84034db815e8 · 2026-04-06T10:35:34.000+09:00
- Pin Docker base images to sha256 digests (Pinned-Dependencies)
- Pin codeql-action/upload-sarif to commit hash (Pinned-Dependencies)
- Add harden-runner to all deploy.yml jobs
- Add .github/dependabot.yml (Dependency-Update-Tool)
- Add .github/workflows/codeql.yml for SAST analysis
- Add SECURITY.md with vulnerability reporting policy

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,54 @@
+version: 2
+updates:
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "ci"
+
+  # npm (deno.lock / package.json)
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
+
+  # Docker
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "docker"
+
+  - package-ecosystem: "docker"
+    directory: "/crates/tlsn-server"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "docker"
+
+  # Cargo (Rust crates)
+  - package-ecosystem: "cargo"
+    directory: "/crates/tlsn-server"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "cargo"
+    directory: "/crates/tlsn-verifier"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
+
+  - package-ecosystem: "cargo"
+    directory: "/crates/tlsn-prover"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,45 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: "15 4 * * 1" # Weekly Monday 04:15 UTC
+
+permissions: {}
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+
+    steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -46,6 +46,11 @@ jobs:
             token_secret: FLY_API_TOKEN_VERIFIER
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
@@ -72,6 +77,11 @@ jobs:
       name: production
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
@@ -97,6 +107,11 @@ jobs:
       name: production
 
     steps:
+      - name: Harden runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
@@ -91,6 +91,6 @@ jobs:
           publish_results: true
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@5c8a8a642e79153f5d047b10ec1cba1d1cc65699 # v3
         with:
           sarif_file: results.sarif
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Build tlsn-verifier binary
-FROM rust:1-bookworm AS rust-builder
+FROM rust:1-bookworm@sha256:fdb91abf3cb33f1ebc84a76461d2472fd8cf606df69c181050fa7474bade2895 AS rust-builder
 RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 WORKDIR /build
 COPY crates/tlsn-verifier/Cargo.toml ./crates/tlsn-verifier/
diff --git a/Dockerfile.blossom b/Dockerfile.blossom
@@ -1,4 +1,4 @@
-FROM ghcr.io/hzrd149/blossom-server:master
+FROM ghcr.io/hzrd149/blossom-server:master@sha256:fd4204d964e63fef17eba36aaa0c772e0c1d07026d5589c30f8c1593cb642af0
 
 COPY blossom-config.yml /app/config.yml
 
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| main    | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Anchr, please report it
+responsibly:
+
+1. **Do NOT open a public GitHub issue.**
+2. Email **security@anchr.dev** with a description of the vulnerability,
+   steps to reproduce, and any relevant logs or screenshots.
+3. You will receive an acknowledgement within 48 hours.
+4. We will work with you to understand and resolve the issue before any
+   public disclosure.
+
+Thank you for helping keep Anchr and its users safe.
diff --git a/crates/tlsn-server/Dockerfile b/crates/tlsn-server/Dockerfile
@@ -1,11 +1,11 @@
-FROM rust:1-bookworm AS builder
+FROM rust:1-bookworm@sha256:fdb91abf3cb33f1ebc84a76461d2472fd8cf606df69c181050fa7474bade2895 AS builder
 RUN apt-get update && apt-get install -y --no-install-recommends git && rm -rf /var/lib/apt/lists/*
 WORKDIR /build
 COPY Cargo.toml ./
 COPY src/ src/
 RUN cargo build --release --bin tlsn-server
 
-FROM debian:bookworm-slim
+FROM debian:bookworm-slim@sha256:f06537653ac770703bc45b4b113475bd402f451e85223f0f2837acbf89ab020a
 RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates tor && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /build/target/release/tlsn-server /usr/local/bin/
 COPY docker-entrypoint.sh /usr/local/bin/

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM ghcr.io/hzrd149/blossom-server:master`
	`1`	`+FROM ghcr.io/hzrd149/blossom-server:master@sha256:fd4204d964e63fef17eba36aaa0c772e0c1d07026d5589c30f8c1593cb642af0`
`2`	`2`
`3`	`3`	`COPY blossom-config.yml /app/config.yml`
`4`	`4`