Should tags be considered sufficient pins for actions? #178
Replies: 1 comment 5 replies
-
Thanks for opening this @funnelfiasco! I've gone back and forth on this as well: hash-pinned actions are definitely the gold standard, but even just branch/tag pinning is a significant improvement over leaving actions entirely unpinned.
I like this! If you're interested, I'd be more than happy to merge a PR that adds findings for non-hash-pinned actions when Longer term, this demonstrates that enum Sensitivity {
// The current default
Normal,
// For findings like these
Pedantic,
// For high false-positive findings, e.g. self-hosted runner detection
Extreme,
} ...with that, each finding could mark its sensitivity and we everything would flow more gracefully into the current filtering system (which includes config rules). |
Beta Was this translation helpful? Give feedback.
-
#161 introduced an audit for finding un-pinned actions. This is good. But I'm wondering if it's too accepting. It currently requires a pin based on branch, tag, or SHA. In most cases, that's fine. But what happens if upstream becomes malicious? Let's say Jia Tan becomes a maintainer of a popular (or unpopular for that matter) GitHub action. They can update the branch with a backdoor and force push a previously-good tag to now point to malicious code.
I see three possible approaches here:
--pedantic
should require only SHAs.I'm not sure what my position is here. 3 is in the lead at the moment, but I am open to being convinced of either 1 or 2. Part of it, I suppose, comes down to "how paranoid does this project want to be?" An argument for 2 is that the vast majority of actions (probably) come from well-managed providers (e.g. GitHub itself) that make the risk of compromise very low while also ensuring that people automatically get the latest bug fixes (which may also include security fixes) that they'd otherwise have to update manually.
Beta Was this translation helpful? Give feedback.
All reactions