Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BUG: Scorecard does not penalize unpinned third party actions in local composite / docker actions #2189

Open
stefreak opened this issue Aug 23, 2022 · 1 comment
Labels

Comments

@stefreak
Copy link

stefreak commented Aug 23, 2022

Describe the bug
It's possible to call third party actions or docker containers in local GitHub actions, and call the local GitHub actions from a workflow.

Also, as a developer of open source github actions, you should be able to use scorecard to scan your action.yml for issues.

Scorecard does not seem to verify GitHub action.yml in my tests.

Reproduction steps

Minimal reprository that reproduces this behaviour: https://github.com/stefreak/ossf-scorecard-repro-2189

  1. Create a workflow like that:
on:
  push:

jobs:
  reproduce:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b  # v3.0.2
      - uses: ./.github/actions/reproduce-composite
      - uses: ./.github/actions/reproduce-docker-path
  1. Create local file in the same repository: ./.github/actions/reproduce-composite/action.yml:
name: 'Reproduce scorecard bug scanning composite actions'
description: >
  Scorecard should detect that we are calling third party
  actions without pinning, but it doesn't
runs:
  using: "composite"
  steps:
    - name: Prepare helm
      uses: azure/setup-helm@v3
  1. Create local file in the same repository: ./.github/actions/reproduce-docker-path/action.yml:
name: 'Reproduce scorecard bug scanning docker actions'
description: >
  Scorecard should detect that we are calling third party
  docker container without pinning, but it doesn't
runs:
  using: "docker"
  image: "docker://ubuntu:latest"
  args: ["echo", "Hello World"]

Expected behavior
All GitHub action YAML files that can call third party actions should be considered when scanning.

Additional context
This might be related to #2174 but I am not sure.

@stefreak stefreak added the kind/bug Something isn't working label Aug 23, 2022
@afmarcum afmarcum moved this to Backlog - Bugs in Scorecard - NEW Mar 5, 2024
arianvp added a commit to arianvp/update-flake-lock that referenced this issue Jun 18, 2024
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you


I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see ossf/scorecard#2189
@arianvp
Copy link

arianvp commented Jun 18, 2024

The fact that Github Actions doesn't have a lock-file that locks all recursive action dependencies of composite actions is kind of meh. It makes it very iffy to use from a supply-chain security perspective as you're forced to audit the entire dep tree by hand. Would be really neat if ossf scorecard could do this automatically

cole-h pushed a commit to DeterminateSystems/update-flake-lock that referenced this issue Jun 18, 2024
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags.

This PR changes all third party actions to be explicitly locked.

Dependabot will still work and update these hashes for you


I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues.

Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh

e.g. see ossf/scorecard#2189
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Backlog - Bugs
Development

No branches or pull requests

3 participants