Updates

.github/workflows/code-review.yml

@@ -11,7 +11,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           disable-sudo: true
           egress-policy: block

.github/workflows/codeql-analysis.yml

@@ -37,15 +37,15 @@ jobs:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
 
     steps:
-    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+    - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         egress-policy: audit
     - name: Checkout repository
-      uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -56,7 +56,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/autobuild@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -70,4 +70,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@5f532563584d71fdef14ee64d17bafb34f751ce5
+      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+        uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
 

.github/workflows/int.yml

@@ -11,35 +11,38 @@ env:
   GOPRIVATE: github.com/step-security
 jobs:
   integration-test:
+    if: github.event.repository.fork == false
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@v2
+      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
+        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
         with:
           go-version: 1.24.1
 
       - name: Configure .netrc
+        env:
+          PAT: ${{ secrets.PAT }}
         run: |
           if [[ ! -e "~/.netrc" ]]; then
               touch ~/.netrc
           fi
-          printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
-      
+          printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc
+
       - name: Create go vendor dir
         run: |
           go mod vendor
 
       - run: sudo go test -v
       - run: go build -ldflags="-s -w" -o ./agent
       - name: Configure aws credentials
-        uses: aws-actions/configure-aws-credentials@ea7b857d8a33dc2fb4ef5a724500044281b49a5e
+        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

.github/workflows/release.yml

@@ -10,11 +10,12 @@ env:
   GOPRIVATE: github.com/step-security
 jobs:
   release:
+    if: github.event.repository.fork == false
     permissions:
       contents: write
     runs-on: ubuntu-22.04
     steps:
-    - uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
+    - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
       with:
         allowed-endpoints: 
           api.github.com:443
@@ -25,26 +26,28 @@ jobs:
           storage.googleapis.com:443
           uploads.github.com:443
     - name: Checkout
-      uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up Go 
-      uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 1.24.1
 
     - name: Configure .netrc
+      env:
+        PAT: ${{ secrets.PAT }}
       run: |
         if [[ ! -e "~/.netrc" ]]; then
             touch ~/.netrc
         fi
-        printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
+        printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc
 
 
     - name: Create go vendor dir
       run: |
         go mod vendor
 
 
-    - uses: goreleaser/goreleaser-action@5df302e5e9e4c66310a6b6493a8865b12c555af2
+    - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
       with:
         distribution: goreleaser
         version: latest

.github/workflows/scorecard-analysis.yml

@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # tag=v1.0.26
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3.28.15
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -12,28 +12,31 @@ env:
 
 jobs:
   test:
+    if: github.event.repository.fork == false
     permissions:
       contents: read
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up Go 
-      uses: actions/setup-go@424fc82d43fa5a37540bae62709ddcc23d9520d4
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
         go-version: 1.24.1
 
     - name: Configure .netrc
+      env:
+        PAT: ${{ secrets.PAT }}
       run: |
         if [[ ! -e "~/.netrc" ]]; then
             touch ~/.netrc
         fi
-        printf "machine github.com login stepsecurity-infra-bot password ${{ secrets.PAT }}" >>~/.netrc
+        printf "machine github.com login stepsecurity-infra-bot password $PAT" >>~/.netrc
 
     - name: Create go vendor dir
       run: |
         go mod vendor
 
     - name: Run coverage
       run: sudo CI=true go test -race -coverprofile=coverage.txt -covermode=atomic      
-    - uses: codecov/codecov-action@40a12dcee2df644d47232dde008099a3e9e4f865
+    - uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2

config.go

@@ -2,7 +2,7 @@ package main
 
 import (
 	"encoding/json"
-	"io/ioutil"
+	"os"
 	"strconv"
 	"strings"
 
@@ -50,7 +50,7 @@ type configFile struct {
 // init reads the config file for the agent and initializes config settings
 func (c *config) init(configFilePath string) error {
 	var configFile configFile
-	data, err := ioutil.ReadFile(configFilePath)
+	data, err := os.ReadFile(configFilePath)
 	if err != nil {
 		return errors.Wrap(err, "failed to read config file")
 	}

dnsconfig.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path"
@@ -30,7 +29,7 @@ const (
 
 func updateDockerConfig(configPath string) error {
 
-	data, err := ioutil.ReadFile(configPath)
+	data, err := os.ReadFile(configPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return errors.Wrap(err, "failed to read config file")
 	}

dnsconfig_test.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"io/ioutil"
 	"log"
 	"os"
 	"path"
@@ -10,7 +9,7 @@ import (
 )
 
 func createTempFileWithContents(content string) string {
-	file, err := ioutil.TempFile("", "*.json")
+	file, err := os.CreateTemp("", "*.json")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -28,7 +27,7 @@ func Test_updateDockerConfig(t *testing.T) {
 		configPath string
 	}
 	tmpFileName := createTempFileWithContents("{ \"cgroup-parent\": \"/actions_job\"}")
-	mockDockerConfigPath, err := ioutil.TempDir("", "")
+	mockDockerConfigPath, err := os.MkdirTemp("", "")
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -54,7 +53,7 @@ func Test_updateDockerConfig(t *testing.T) {
 			if err := updateDockerConfig(tt.args.configPath); (err != nil) != tt.wantErr {
 				t.Errorf("updateDockerConfig() error = %v, wantErr %v", err, tt.wantErr)
 			}
-			content, err := ioutil.ReadFile(tt.args.configPath)
+			content, err := os.ReadFile(tt.args.configPath)
 			if err != nil {
 				log.Fatal(err)
 			}
@@ -87,7 +86,7 @@ func Test_writeResolveConfig(t *testing.T) {
 			if err := writeResolveConfig(tt.args.configPath); (err != nil) != tt.wantErr {
 				t.Errorf("writeResolveConfig() error = %v, wantErr %v", err, tt.wantErr)
 			}
-			content, err := ioutil.ReadFile(tt.args.configPath)
+			content, err := os.ReadFile(tt.args.configPath)
 			if err != nil {
 				log.Fatal(err)
 			}

dnsproxy.go

@@ -3,7 +3,7 @@ package main
 import (
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"math"
 	"net/http"
 	"strings"
@@ -141,7 +141,7 @@ func (proxy *DNSProxy) ResolveDomain(domain string) (*Answer, error) {
 
 	defer resp.Body.Close()
 
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 
 	if err != nil {
 		return nil, fmt.Errorf("error in response from dns.google %v", err)

eventhandler.go

@@ -5,7 +5,6 @@ import (
 	"crypto/sha256"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net"
 	"os"
 	"path"
@@ -153,7 +152,7 @@ func printContainerInfo(pid, ppid string) {
 	}
 
 	cgroupPath := fmt.Sprintf("/proc/%s/cgroup", pid)
-	content, err := ioutil.ReadFile(cgroupPath)
+	content, err := os.ReadFile(cgroupPath)
 	if err != nil {
 		WriteLog(fmt.Sprintf("cgroup not found %v", err))
 	} else {
@@ -213,7 +212,7 @@ func (eventHandler *EventHandler) HandleEvent(event *Event) {
 }
 
 func GetContainerIdByPid(cgroupPath string) string {
-	content, err := ioutil.ReadFile(cgroupPath)
+	content, err := os.ReadFile(cgroupPath)
 	if err != nil {
 		// WriteLog(fmt.Sprintf("error reading cgrouppath: %s : %v", cgroupPath, err))
 		return ""

procmon_linux.go

@@ -6,7 +6,6 @@ package main
 import (
 	"fmt"
 
-	"io/ioutil"
 	"os"
 	"strings"
 
@@ -177,7 +176,7 @@ func (p *ProcessMonitor) receive(r *libaudit.AuditClient) error {
 
 func getParentProcessId(pid string) (int, error) {
 	statPath := fmt.Sprintf("/proc/%s/stat", pid)
-	dataBytes, err := ioutil.ReadFile(statPath)
+	dataBytes, err := os.ReadFile(statPath)
 	if err != nil {
 		return -1, err
 	}