Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update workflows to use commit hashes per OpenSSF Scorecard guidelines. #192

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

jauderho
Copy link
Contributor

Dependabot will do the right thing and issue PRs as necessary.

Signed-off-by: Jauder Ho jauderho@users.noreply.github.com

Signed-off-by: Jauder Ho <jauderho@users.noreply.github.com>
@kzantow
Copy link
Contributor

kzantow commented Feb 14, 2022

What is the purpose of this change? According to GitHub guidelines, shouldn't we be using a version tag for actions?

@jauderho
Copy link
Contributor Author

jauderho commented Feb 14, 2022

@kzantow please see https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies


A "pinned dependency" is a dependency that is explicitly set to a specific hash instead of
allowing a mutable version or range of versions. It
is currently limited to repositories hosted on GitHub, and does not support
other source hosting repositories (i.e., Forges).

The check works by looking for unpinned dependencies in Dockerfiles, shell scripts and GitHub workflows.

Pinned dependencies reduce several security risks:

  • They ensure that checking and deployment are all done with the same
    software, reducing deployment risks, simplifying debugging, and enabling
    reproducibility.
  • They can help mitigate compromised dependencies from undermining the
    security of the project (in the case where you've evaluated the pinned
    dependency, you are confident it's not compromised, and a later version is
    released that is compromised).
  • They are one way to counter dependency confusion (aka substitution) attacks,
    in which an application uses multiple feeds to acquire software packages (a
    "hybrid configuration"), and attackers fool the user into using a malicious
    package via a feed that was not expected for that package.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants