-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Scorecard does not penalize unpinned third party actions in local composite / docker actions #2189
Labels
Comments
2 tasks
arianvp
added a commit
to arianvp/update-flake-lock
that referenced
this issue
Jun 18, 2024
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags. This PR changes all third party actions to be explicitly locked. Dependabot will still work and update these hashes for you I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues. Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh e.g. see ossf/scorecard#2189
The fact that Github Actions doesn't have a lock-file that locks all recursive action dependencies of composite actions is kind of meh. It makes it very iffy to use from a supply-chain security perspective as you're forced to audit the entire dep tree by hand. Would be really neat if ossf scorecard could do this automatically |
2 tasks
cole-h
pushed a commit
to DeterminateSystems/update-flake-lock
that referenced
this issue
Jun 18, 2024
A caller of this action can lock this action to a specific commit. However because the action itself does not lock its dependent actions to a specific commit this opens the end-user up to possible supply-chain attacks if the dependent actions rewrite their tags. This PR changes all third party actions to be explicitly locked. Dependabot will still work and update these hashes for you I also suggest installing https://github.com/ossf/scorecard in this repo. It will report about these kind of issues. Note that you should in turn have to audit all the third party deps of the actions that your action depends on. In general this is all a bit of a mess and GitHub's security model is very meh e.g. see ossf/scorecard#2189
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
It's possible to call third party actions or docker containers in local GitHub actions, and call the local GitHub actions from a workflow.
Also, as a developer of open source github actions, you should be able to use scorecard to scan your
action.yml
for issues.Scorecard does not seem to verify GitHub
action.yml
in my tests.Reproduction steps
Minimal reprository that reproduces this behaviour: https://github.com/stefreak/ossf-scorecard-repro-2189
./.github/actions/reproduce-composite/action.yml
:./.github/actions/reproduce-docker-path/action.yml
:Expected behavior
All GitHub action YAML files that can call third party actions should be considered when scanning.
Additional context
This might be related to #2174 but I am not sure.
The text was updated successfully, but these errors were encountered: