Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure pinned dependencies #2150

Open
sozercan opened this issue May 23, 2023 · 2 comments
Open

Ensure pinned dependencies #2150

sozercan opened this issue May 23, 2023 · 2 comments

Comments

@sozercan
Copy link

sozercan commented May 23, 2023
edited

It's awesome that secure repo pins dependencies like GHA. However, it is ideal to keep that hygiene to ensure new dependencies that are introduced must be pinned (bonus points if it can suggest hashes). It would be great to add an action like https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions as part of secure repo or harden runner.

If this issue is more suitable for harden-repo repo, please feel free to move it there.
@varunsh-coder
Copy link
Member

Thanks @sozercan for creating the issue! secure-repo currently adds the https://github.com/ossf/scorecard-action which does find the pinned dependency issue and also token permissions issue. I am not sure if it runs on a PR though - @ashishkurmi this is something to look into.

There is also an open issue to run secure-repo as an Action/ CLI to auto-fix these issues when a new PR is created.
#583
#1230

@varunsh-coder
Copy link
Member

@sozercan, please do suggest if you have ideas on adding additional tools via pull request using secure-repo. Here are some we are planning to do in the near future:
#2069
#2074
#2076

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sozercan @varunsh-coder