feat(security): security best practices from StepSecurity

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2026-04-11 20:28:51 +00:00 · 2026-03-27 18:23:28 +00:00
42 changed files with 126 additions and 0 deletions
--- a/.github/workflows/api-bump-version.yml
+++ b/.github/workflows/api-bump-version.yml
@@ -13,6 +13,9 @@ env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

+permissions:
+  contents: read
+
 jobs:
  detect-release-type:
    runs-on: ubuntu-latest
--- a/.github/workflows/api-code-quality.yml
+++ b/.github/workflows/api-code-quality.yml
@@ -17,6 +17,9 @@ concurrency:
 env:
  API_WORKING_DIR: ./api

+permissions:
+  contents: read
+
 jobs:
  api-code-quality:
    runs-on: ubuntu-latest
--- a/.github/workflows/api-codeql.yml
+++ b/.github/workflows/api-codeql.yml
@@ -24,6 +24,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  api-analyze:
    name: CodeQL Security Analysis
--- a/.github/workflows/api-container-build-push.yml
+++ b/.github/workflows/api-container-build-push.yml
@@ -33,6 +33,9 @@ env:
  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-api

+permissions:
+  contents: read
+
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/api-container-checks.yml
+++ b/.github/workflows/api-container-checks.yml
@@ -18,6 +18,9 @@ env:
  API_WORKING_DIR: ./api
  IMAGE_NAME: prowler-api

+permissions:
+  contents: read
+
 jobs:
  api-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/api-security.yml
+++ b/.github/workflows/api-security.yml
@@ -17,6 +17,9 @@ concurrency:
 env:
  API_WORKING_DIR: ./api

+permissions:
+  contents: read
+
 jobs:
  api-security-scans:
    runs-on: ubuntu-latest
--- a/.github/workflows/api-tests.yml
+++ b/.github/workflows/api-tests.yml
@@ -30,6 +30,9 @@ env:
  VALKEY_DB: 0
  API_WORKING_DIR: ./api

+permissions:
+  contents: read
+
 jobs:
  api-tests:
    runs-on: ubuntu-latest
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -17,6 +17,9 @@ env:
  BACKPORT_LABEL_PREFIX: backport-to-
  BACKPORT_LABEL_IGNORE: was-backported

+permissions:
+  contents: read
+
 jobs:
  backport:
    if: github.event.pull_request.merged == true && !(contains(github.event.pull_request.labels.*.name, 'backport')) && !(contains(github.event.pull_request.labels.*.name, 'was-backported'))
--- a/.github/workflows/ci-zizmor.yml
+++ b/.github/workflows/ci-zizmor.yml
@@ -21,6 +21,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  zizmor:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/comment-label-update.yml
+++ b/.github/workflows/comment-label-update.yml
@@ -9,6 +9,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.issue.number }}
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  update-labels:
    if: contains(github.event.issue.labels.*.name, 'status/awaiting-response')
--- a/.github/workflows/conventional-commit.yml
+++ b/.github/workflows/conventional-commit.yml
@@ -16,6 +16,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  conventional-commit-check:
    runs-on: ubuntu-latest
--- a/.github/workflows/create-backport-label.yml
+++ b/.github/workflows/create-backport-label.yml
@@ -13,6 +13,9 @@ env:
  BACKPORT_LABEL_PREFIX: backport-to-
  BACKPORT_LABEL_COLOR: B60205

+permissions:
+  contents: read
+
 jobs:
  create-label:
    runs-on: ubuntu-latest
--- a/.github/workflows/docs-bump-version.yml
+++ b/.github/workflows/docs-bump-version.yml
@@ -13,6 +13,9 @@ env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

+permissions:
+  contents: read
+
 jobs:
  detect-release-type:
    runs-on: ubuntu-latest
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -14,6 +14,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  scan-secrets:
    runs-on: ubuntu-latest
--- a/.github/workflows/helm-chart-checks.yml
+++ b/.github/workflows/helm-chart-checks.yml
@@ -21,6 +21,9 @@ concurrency:
 env:
  CHART_PATH: contrib/k8s/helm/prowler-app

+permissions:
+  contents: read
+
 jobs:
  helm-lint:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/helm-chart-release.yml
+++ b/.github/workflows/helm-chart-release.yml
@@ -13,6 +13,9 @@ concurrency:
 env:
  CHART_PATH: contrib/k8s/helm/prowler-app

+permissions:
+  contents: read
+
 jobs:
  release-helm-chart:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -15,6 +15,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  labeler:
    runs-on: ubuntu-latest
--- a/.github/workflows/mcp-container-build-push.yml
+++ b/.github/workflows/mcp-container-build-push.yml
@@ -32,6 +32,9 @@ env:
  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp

+permissions:
+  contents: read
+
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/mcp-container-checks.yml
+++ b/.github/workflows/mcp-container-checks.yml
@@ -18,6 +18,9 @@ env:
  MCP_WORKING_DIR: ./mcp_server
  IMAGE_NAME: prowler-mcp

+permissions:
+  contents: read
+
 jobs:
  mcp-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/mcp-pypi-release.yml
+++ b/.github/workflows/mcp-pypi-release.yml
@@ -14,6 +14,9 @@ env:
  PYTHON_VERSION: "3.12"
  WORKING_DIRECTORY: ./mcp_server

+permissions:
+  contents: read
+
 jobs:
  validate-release:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/pr-check-changelog.yml
+++ b/.github/workflows/pr-check-changelog.yml
@@ -16,6 +16,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  check-changelog:
    if: contains(github.event.pull_request.labels.*.name, 'no-changelog') == false
--- a/.github/workflows/pr-conflict-checker.yml
+++ b/.github/workflows/pr-conflict-checker.yml
@@ -15,6 +15,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  check-conflicts:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-merged.yml
+++ b/.github/workflows/pr-merged.yml
@@ -12,6 +12,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  trigger-cloud-pull-request:
    if: |
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -17,6 +17,9 @@ concurrency:
 env:
  PROWLER_VERSION: ${{ inputs.prowler_version }}

+permissions:
+  contents: read
+
 jobs:
  prepare-release:
    if: github.event_name == 'workflow_dispatch' && github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-bump-version.yml
+++ b/.github/workflows/sdk-bump-version.yml
@@ -13,6 +13,9 @@ env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

+permissions:
+  contents: read
+
 jobs:
  detect-release-type:
    runs-on: ubuntu-latest
--- a/.github/workflows/sdk-check-duplicate-test-names.yml
+++ b/.github/workflows/sdk-check-duplicate-test-names.yml
@@ -10,6 +10,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  check-duplicate-test-names:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-code-quality.yml
+++ b/.github/workflows/sdk-code-quality.yml
@@ -14,6 +14,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  sdk-code-quality:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-codeql.yml
+++ b/.github/workflows/sdk-codeql.yml
@@ -30,6 +30,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  sdk-analyze:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-container-build-push.yml
+++ b/.github/workflows/sdk-container-build-push.yml
@@ -46,6 +46,9 @@ env:
  # AWS configuration (for ECR)
  AWS_REGION: us-east-1

+permissions:
+  contents: read
+
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-container-checks.yml
+++ b/.github/workflows/sdk-container-checks.yml
@@ -17,6 +17,9 @@ concurrency:
 env:
  IMAGE_NAME: prowler

+permissions:
+  contents: read
+
 jobs:
  sdk-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-pypi-release.yml
+++ b/.github/workflows/sdk-pypi-release.yml
@@ -13,6 +13,9 @@ env:
  RELEASE_TAG: ${{ github.event.release.tag_name }}
  PYTHON_VERSION: '3.12'

+permissions:
+  contents: read
+
 jobs:
  validate-release:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-refresh-aws-services-regions.yml
+++ b/.github/workflows/sdk-refresh-aws-services-regions.yml
@@ -13,6 +13,9 @@ env:
  PYTHON_VERSION: '3.12'
  AWS_REGION: 'us-east-1'

+permissions:
+  contents: read
+
 jobs:
  refresh-aws-regions:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-refresh-oci-regions.yml
+++ b/.github/workflows/sdk-refresh-oci-regions.yml
@@ -12,6 +12,9 @@ concurrency:
 env:
  PYTHON_VERSION: '3.12'

+permissions:
+  contents: read
+
 jobs:
  refresh-oci-regions:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-security.yml
+++ b/.github/workflows/sdk-security.yml
@@ -14,6 +14,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  sdk-security-scans:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/sdk-tests.yml
+++ b/.github/workflows/sdk-tests.yml
@@ -14,6 +14,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  sdk-tests:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/test-impact-analysis.yml
+++ b/.github/workflows/test-impact-analysis.yml
@@ -31,6 +31,9 @@ on:
        description: "Whether there are UI E2E tests to run"
        value: ${{ jobs.analyze.outputs.has-ui-e2e }}

+permissions:
+  contents: read
+
 jobs:
  analyze:
    runs-on: ubuntu-latest
--- a/.github/workflows/ui-bump-version.yml
+++ b/.github/workflows/ui-bump-version.yml
@@ -13,6 +13,9 @@ env:
  PROWLER_VERSION: ${{ github.event.release.tag_name }}
  BASE_BRANCH: master

+permissions:
+  contents: read
+
 jobs:
  detect-release-type:
    runs-on: ubuntu-latest
--- a/.github/workflows/ui-codeql.yml
+++ b/.github/workflows/ui-codeql.yml
@@ -26,6 +26,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  ui-analyze:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/ui-container-build-push.yml
+++ b/.github/workflows/ui-container-build-push.yml
@@ -35,6 +35,9 @@ env:
  # Build args
  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1

+permissions:
+  contents: read
+
 jobs:
  setup:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/ui-container-checks.yml
+++ b/.github/workflows/ui-container-checks.yml
@@ -18,6 +18,9 @@ env:
  UI_WORKING_DIR: ./ui
  IMAGE_NAME: prowler-ui

+permissions:
+  contents: read
+
 jobs:
  ui-dockerfile-lint:
    if: github.repository == 'prowler-cloud/prowler'
--- a/.github/workflows/ui-e2e-tests-v2.yml
+++ b/.github/workflows/ui-e2e-tests-v2.yml
@@ -15,6 +15,9 @@ on:
      - 'ui/**'
      - 'api/**'  # API changes can affect UI E2E

+permissions:
+  contents: read
+
 jobs:
  # First, analyze which tests need to run
  impact-analysis:
--- a/.github/workflows/ui-tests.yml
+++ b/.github/workflows/ui-tests.yml
@@ -18,6 +18,9 @@ env:
  UI_WORKING_DIR: ./ui
  NODE_VERSION: '24.13.0'

+permissions:
+  contents: read
+
 jobs:
  ui-tests:
    runs-on: ubuntu-latest