Add Compliance check: pinActionsToSHA

[UlisesGascon]

How the Check Works

Provide a clear definition based on the spreadsheet

Pending Tasks

You can find more details in the contributing guide

• 1. Define a Good Implementation Example
  • Read the documentation (guidelines, best practices...)
  • Brainstorm how to implement this check (logic, alerts, tasks, validations, edge cases...).
  • Achieve an agreement on the implementation details before starting to work on this.
• 2. Update Check Record Example
  • Update the compliance_checks row with the following fields: how_to_url, implementation_status, implementation_type and implementation_details_reference
  • Check the migration scripts using npm run db:migrate and npm run db:rollback
  • Update the database schema by running npm run db:generate-schema
• 3. Implement the Business Logic Validator Example and Check Example
  • Add the specific validator in src/checks/validators/index.js
  • Add the check logic in src/checks/complianceChecks
  • Ensure that the check is in scope for the organization (use isCheckApplicableToProjectCategory)
  • Ensure that the severity value is well calculated (use getSeverityFromPriorityGroup)
  • Add the alert row in the compliance_checks_alerts table when is needed.
  • Add the task row in the compliance_checks_tasks table when is needed.
  • Add the result row in the compliance_checks_results table.
• 4. Ensure It Works as Expected
  • Add new unit tests for the validator check.
  • Add new integration test cases for this check.
  • Verify that all tests are passing.
  • Run the command check run --name {check_code_name} and verify the changes in the database. Update the seed script if needed (npm run db:seed)
• 5. Update the website Example
  • Review the current content it in https://openjs-security-program-standards.netlify.app/details/{check_code_name}
  • Create a PR in https://github.com/secure-dashboards/openjs-security-program-standards to include how we calculate this check and include additional information on the mitigation if needed.

[UlisesGascon]

this can be solved using the OSSF Sorecard table, we can use the pinned_dependencies_score and the pinned_dependencies_details while it mention *GitHubAction not pinned by hash*, like in:

    "pinned_dependencies_reason": "dependency not pinned by hash detected -- score normalized to 2",
    "pinned_dependencies_score": 2,
    "pinned_dependencies_documentation_url": "https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies",
    "pinned_dependencies_documentation": "Determines if the project has declared and pinned the dependencies of its build process.",
    "pinned_dependencies_details": "Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:133: update your workflow using https://app.stepsecurity.io/secureworkflow/jshttp/http-assert/ci.yml/master?enable=pin\nWarn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/jshttp/http-assert/ci.yml/master?enable=pin\nWarn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:218: update your workflow using https://app.stepsecurity.io/secureworkflow/jshttp/http-assert/ci.yml/master?enable=pin\nWarn: npmCommand not pinned by hash: .github/workflows/ci.yml:166\nWarn: npmCommand not pinned by hash: .github/workflows/ci.yml:182\nInfo:   3 out of   4 GitHub-owned GitHubAction dependencies pinned\nInfo:   1 out of   3 third-party GitHubAction dependencies pinned\nInfo:   0 out of   2 npmCommand dependencies pinned",

I believe that we can add tasks but not sure if alerts on this case.... WDYT @ruddermann?