GitHub/Repository Security/GitHub Workflows & Actions: Difference between revisions

Jump to navigation Jump to search

GitHub/Repository Security/GitHub Workflows & Actions (view source)

Revision as of 09:21, 19 May 2025

38 bytes added ,  19 May
m
reordering the headers and sections in the page
m (add instructions to review all code run as part of the workflow)
m (reordering the headers and sections in the page)
Line 74: Line 74:
** Consider permitting only a specific revision (instead of relying on a version tag)
** Consider permitting only a specific revision (instead of relying on a version tag)


== Docker Security Best Practices ==
== Recommendations ==
To enhance the security and efficiency of your Docker workflows, consider implementing the following best practices:
 
=== Utilize a <code>.dockerignore</code> File ===
A well-configured <code>.dockerignore</code> file is essential for optimizing your Docker build process. It functions similarly to a <code>.gitignore</code> file by specifying which files and directories should be excluded from the build context. This practice reduces the build size, leading to faster builds, and prevents sensitive or unnecessary files from being included in your Docker images.
 
==== Recommendations ====
* '''Exclude Version Control Directories''': Add <code>.git/</code> to your <code>.dockerignore</code> file to prevent the inclusion of Git configuration which could include the authentication token, history and metadata in your Docker image, thereby reducing image size and avoiding potential exposure of sensitive information.
<syntaxhighlight lang="bash">
.git/
</syntaxhighlight>
 
* '''Exclude Node Modules''': For Node.js projects, exclude the <code>node_modules/</code> directory to prevent unnecessary files from being added to the Docker image.
<syntaxhighlight lang="bash">
node_modules/
</syntaxhighlight>
 
* '''Exclude Temporary and Log Files''': Prevent temporary files and logs from being included in the image by adding patterns like:
<syntaxhighlight lang="bash">
*.log
*.tmp
</syntaxhighlight>
 
* '''Exclude GitHub Actions Credential Files''': Exclude credential JSON files (<code>gha-creds-*.json</code>) used in GitHub Actions workflows to avoid inadvertently including authentication data in Docker images. Alternatively, build Docker images before running the <code>google-github-actions/auth@v2</code> step in your GitHub workflow, ensuring these credentials aren't present in your build context.
<syntaxhighlight lang="bash">
gha-creds-*.json
</syntaxhighlight>
 
===== Sample <code>.dockerignore</code> file =====
<syntaxhighlight lang="bash">
.git/
 
node_modules/
*.log
*.tmp
 
gha-creds-*.json
</syntaxhighlight>


=== Manage Sensitive Data Securely ===
=== Manage Sensitive Data Securely ===
Line 143: Line 106:
If some permissions are required, set them to the minimum necessary.
If some permissions are required, set them to the minimum necessary.


=== Implement secure configuration ===
* When configuring workflows for automated merging or handling Dependabot pull requests, always validate the user initiating the request instead of the actor. For example, use:
* When configuring workflows for automated merging or handling Dependabot pull requests, always validate the user initiating the request instead of the actor. For example, use:
<syntaxhighlight lang="yaml">
<syntaxhighlight lang="yaml">
Line 156: Line 120:


* '''Avoid Storing Tokens in Git''': Ensure tokens are not stored in your Git repository by adding relevant patterns to your <code>.gitignore</code> file and using GitHub Actions secrets to securely manage sensitive information.
* '''Avoid Storing Tokens in Git''': Ensure tokens are not stored in your Git repository by adding relevant patterns to your <code>.gitignore</code> file and using GitHub Actions secrets to securely manage sensitive information.
=== Docker Security Best Practices ===
To enhance the security and efficiency of your Docker workflows, consider implementing the following best practices:
==== Utilize a <code>.dockerignore</code> File ====
A well-configured <code>.dockerignore</code> file is essential for optimizing your Docker build process. It functions similarly to a <code>.gitignore</code> file by specifying which files and directories should be excluded from the build context. This practice reduces the build size, leading to faster builds, and prevents sensitive or unnecessary files from being included in your Docker images.
* '''Exclude Version Control Directories''': Add <code>.git/</code> to your <code>.dockerignore</code> file to prevent the inclusion of Git configuration which could include the authentication token, history and metadata in your Docker image, thereby reducing image size and avoiding potential exposure of sensitive information.
<syntaxhighlight lang="bash">
.git/
</syntaxhighlight>
* '''Exclude Node Modules''': For Node.js projects, exclude the <code>node_modules/</code> directory to prevent unnecessary files from being added to the Docker image.
<syntaxhighlight lang="bash">
node_modules/
</syntaxhighlight>
* '''Exclude Temporary and Log Files''': Prevent temporary files and logs from being included in the image by adding patterns like:
<syntaxhighlight lang="bash">
*.log
*.tmp
</syntaxhighlight>
* '''Exclude GitHub Actions Credential Files''': Exclude credential JSON files (<code>gha-creds-*.json</code>) used in GitHub Actions workflows to avoid inadvertently including authentication data in Docker images. Alternatively, build Docker images before running the <code>google-github-actions/auth@v2</code> step in your GitHub workflow, ensuring these credentials aren't present in your build context.
<syntaxhighlight lang="bash">
gha-creds-*.json
</syntaxhighlight>
* '''Sample <code>.dockerignore</code> file''':
<syntaxhighlight lang="bash">
.git/
node_modules/
*.log
*.tmp
gha-creds-*.json
</syntaxhighlight>
Fkiriakos
Confirmed users
13

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1254112"

Navigation menu