Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Check for correct action pinning #285

Merged
merged 6 commits into from
Oct 29, 2024
Merged

✨ Check for correct action pinning #285

merged 6 commits into from
Oct 29, 2024

Conversation

jasonBirchall
Copy link
Member

@jasonBirchall jasonBirchall commented Oct 29, 2024
edited
Loading

This pull request includes implementing a new GitHub Action to check for untrusted GitHub Actions pinned to a version rather than a SHA hash.

As per GitHub's documentation on using third-party actions, we should use the commit hash of a release rather than the GitHub version.

i.e.

This 👇
uses: oxsecurity/megalinter/flavors/python@32c1b3827a334c80026c654f31ee1b4801ad8798

Over 👇
uses: oxsecurity/megalinter/flavors/python@v1

The action simply uses the sting value after the @ symbol. This is a simple way to check for commit hash and the following examples will not be captured:

  • If the third-party action doesn't follow semvar.
  • If the third-party action doesn't contain the "v" before the version.

We've chosen the following organisations as "trusted":

  • ministryofjustice
  • actions

It's been agreed that we can implicitly trust these authors' actions, and version pinning can take place without an SHA.

Why not just use ActionLint

We attempted to use actionlint, but we found it too opinionated and rigid. We only want to check if third-party actions are pinned by a SHA.

### What's next

  • Better output logging
  • Creating a PR comment with suggestions

Implementation of GitHub Action:

  • Dockerfile:

    • Created a Dockerfile to set up the environment for the action using python:3.12-slim and installing necessary dependencies from requirements.txt. (check-version-pinning/Dockerfile)

  • Main Script:

    • Implemented the main script check_version_pinning.py to scan workflow files and check for untrusted GitHub Actions pinned to a version. (check-version-pinning/check_version_pinning.py)

  • Action Metadata:

    • Added action.yaml to define the action's inputs, outputs, and how it runs using the Docker image. (check-version-pinning/action.yaml)

Documentation and Tests:

  • Documentation:

    • Created README.md to provide an overview of the action, its inputs, outputs, and an example usage. (check-version-pinning/README.md)

  • Tests:

    • Added unit tests in test_check_version_pinning.py to verify the functionality of the main script. (check-version-pinning/test_check_version_pinning.py)

  • Requirements:

    • Specified pyyaml as a dependency in requirements.txt. (check-version-pinning/requirements.txt)

@jasonBirchall
✨ Check for untrusted action pinning
6d44d73 
- Added `check_version_pinning.py` script to detect untrusted GitHub
Actions not pinned to a SHA
- Configured `action.yaml` with inputs for `workflow_directory` and
`scan_mode`
- Implemented Dockerfile to support Python-based scanning with required
dependencies
- Enabled user-configurable scan modes (`full` repository scan or
`pr_changes` for pull requests only)
- Documented usage and examples in README.md for easy adoption by others

This commit introduces a flexible and reusable GitHub Action to help
ensure secure, SHA-pinned dependencies in workflows.

Please see the following documentation for more information about GitHub
Action hardening.
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@jasonBirchall jasonBirchall requested a review from a team as a code owner October 29, 2024 10:41
@jasonBirchall jasonBirchall changed the title ✨ Check for untrusted action pinning ✨ Check for correct action pinning Oct 29, 2024
@jasonBirchall jasonBirchall merged commit 2f98b72 into main Oct 29, 2024
4 checks passed
@jasonBirchall jasonBirchall deleted the add-github-workflow-hash branch October 29, 2024 14:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@levgorbunov1 levgorbunov1 levgorbunov1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
⚙️ Operations Engineering
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jasonBirchall @levgorbunov1