Conversation
bschwedler
requested review from
CDRayn and
nodivbyzero
and removed request for
a team
|
|
bschwedler
force-pushed
the
security/sha-pin-actions
branch
from
6bb5a29 to
b010ac7
Compare
bschwedler
force-pushed
the
security/sha-pin-actions
branch
from
b010ac7 to
c9e47aa
Compare
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bschwedler
force-pushed
the
security/sha-pin-actions
branch
2 times, most recently
from
1a36cca to
36a98f4
Compare
Pin every external action to its full-length commit SHA with a version comment. Mutable tag refs (including @master on aws-actions/configure-aws-credentials) are a supply-chain risk — a compromised tag silently changes the code that runs. Add zizmor static analysis to chart-test.yaml with SARIF upload to the Security tab. SARIF upload is conditional on non-fork context; fork PRs still run zizmor as a pass/fail check. Version upgrades included: - actions/checkout v4 → v6.0.2 - actions/create-github-app-token v2 → v3.1.1 - actions/setup-python v5 → v6.2.0 - aws-actions/configure-aws-credentials @master → v6.1.0 - azure/setup-helm v4 → v5.0.0 - extractions/setup-just v2 → v4 - peter-evans/create-pull-request v6 → v6.1.0 (chart-rebuild) - slackapi/slack-github-action v1.27.0 → v3.0.1 Dependabot (configured in #836) will keep these updated.
bschwedler
force-pushed
the
security/sha-pin-actions
branch
from
36a98f4 to
2f990b6
Compare
GCRev
left a comment
GCRev
left a comment
There was a problem hiding this comment.
LGTM. Is there more context for this change like you noticed something started failing, or it's a security problem to use the plain version tags?
It's a supply chain risk. Using the full-length commit SHA is actually Github's own recommendation: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions |
| run: | | ||
| just test-connect-interpreter-versions | ||
|
|
||
| zizmor: |
There was a problem hiding this comment.
Zizmor is for static analysis for GitHub Actions: https://docs.zizmor.sh/
I added it to this PR so that it will flag any actions that are not pinned to a sha. I'll update the PR description to have more context.
There was a problem hiding this comment.
We are exploring similar work in Connect and discovered there is a repo setting that can enforce SHA pinning.
Settings > Actions > General > Require all Actions to use a SHA
Per the docs "When you enable Require actions to be pinned to a full-length commit SHA, all actions must be pinned to a full-length commit SHA to be used."
8 participants
Summary
@masteronaws-actions/configure-aws-credentialsVersion upgrades
actions/checkout@v4v6.0.2actions/create-github-app-token@v2/@v3v3.1.1actions/setup-python@v5v6.2.0aws-actions/configure-aws-credentials@masterv6.1.0azure/setup-helm@v4v5.0.0extractions/setup-just@v2v4peter-evans/create-pull-request@v6(chart-rebuild)v6.1.0slackapi/slack-github-action@v1.27.0v3.0.1Test plan
slackapi/slack-github-actionv3 payload format is compatible (v1 → v3 is a major bump)azure/setup-helmv5 works (v4 → v5)actions/setup-pythonv6 works (v5 → v6)