Configure AppSec in CI

.github/dependabot.yaml

@@ -0,0 +1,44 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: docker
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    docker:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: gomod
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    gomod:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"

.github/dependency-review-config.yaml

@@ -0,0 +1,29 @@
+# https://github.com/cncf/foundation/blob/main/policies-guidance/allowed-third-party-license-policy.md
+allow-licenses:
+# default allowed
+- 'Apache-2.0'
+# explicit CNCF allowlist
+- '0BSD'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'MIT-0'
+- 'OpenSSL'
+- 'OpenSSL-standalone'
+- 'PSF-2.0'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'Python-2.0.1'
+- 'SSLeay-standalone'
+- 'UPL-1.0'
+- 'X11'
+- 'Zlib'
+# Google's patent licence for Go
+- 'LicenseRef-scancode-google-patent-license-golang'
+
+allow-dependencies-licenses:
+# this package is MPL-2.0 and has a CNCF exception
+# https://github.com/cncf/foundation/blob/9b8c9173c2101c1b4aedad3caf2c0128715133f6/license-exceptions/cncf-exceptions-2022-04-12.json#L43C17-L43C47
+- pkg:golang/github.com/go-sql-driver/mysql

.github/workflows/build_and_publish.yml

@@ -13,6 +13,14 @@ on:
 jobs:
   docker:
     runs-on: ubuntu-latest
+    permissions:
+      # checkout
+      contents: read
+      # image push
+      packages: write
+      # actions/attest
+      id-token: write
+      attestations: write
     steps:
       -
         name: Checkout
@@ -49,6 +57,7 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Build and push
+        id: build-and-push
         if: github.event_name != 'pull_request'
         uses: docker/build-push-action@v6
         with:
@@ -57,3 +66,12 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          sbom: true
+      -
+        name: Attest ghcr image
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        if: github.event_name != 'pull_request'
+        with:
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          subject-name: ghcr.io/${{ github.repository }}
+          push-to-registry: true

.github/workflows/dependency-review.yaml

@@ -0,0 +1,19 @@
+name: dependency review
+on:
+  pull_request:
+    branches:
+    - main
+  merge_group:
+    types:
+    - checks_requested
+permissions: {}
+jobs:
+  dependency-review:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0
+      with:
+        config-file: .github/dependency-review-config.yaml

.github/workflows/lint.yaml

@@ -0,0 +1,29 @@
+name: lint
+on:
+  pull_request:
+    branches:
+    - main
+  merge_group:
+    types:
+    - checks_requested
+permissions: {}
+jobs:
+  lint-go:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      with:
+        go-version: stable
+    - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+  lint-actions:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
+      with:
+        args: -color

.github/workflows/ossf-analysis.yaml

@@ -0,0 +1,31 @@
+name: OSSF scorecard
+on:
+  push:
+    branches:
+    - main
+permissions: {}
+jobs:
+  ossf-scorecard-analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      # Needed if using Code scanning alerts
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - name: Run analysis
+      uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Publish the results for public repositories to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`, regardless
+        # of the value entered here.
+        publish_results: true
+    - name: Upload SARIF results to code scanning
+      uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v3.29.5
+      with:
+        sarif_file: results.sarif

.golangci.yaml

@@ -0,0 +1,9 @@
+version: "2"
+run:
+  timeout: 180s
+linters:
+  enable:
+  - gocritic
+  exclusions:
+    presets:
+    - std-error-handling

README.md

@@ -1,5 +1,8 @@
 # DBaaS Operator
 
+[![OpenSSF Baseline](https://www.bestpractices.dev/projects/12250/baseline)](https://www.bestpractices.dev/projects/12250)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/amazeeio/dbaas-operator/badge)](https://securityscorecards.dev/viewer/?uri=github.com/amazeeio/dbaas-operator)
+
 This set of controllers is meant to be used as a replacement for the ansible service broker and https://github.com/amazeeio/dbaas-mariadb-apb to run in Kubernetes.
 
 It allows for provisiong and deprovisioning of shared MySQL/MariaDB, PostgreSQL, and MongoDB databases.
@@ -67,4 +70,4 @@ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/v2.0.0-b
 kubectl apply -f test-resources/dashboard-rbac.yaml
 kubectl -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}')
 kubectl proxy
-```
+```