Hash-pin dependencies #1919
Comments
|
Hi! I'm coming back here to close this issue because I recognized that the changes I suggested wouldn't directly improve Security because of the following reasons:
That said, keeping those dependencies tag-pinned can actually be beneficial given their automatic update bring flexibility for the tests and reduce the burden of updating their version often. Best, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi! I'm Diogo and I'm back (see #1878) hoping to offer a bit more help with security enhancements.
This time I'd like to ask if you are interested in a PR to hash pin the Actions you call in your GitHub Workflows, and the docker images you use on your docker files. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits.
The changes would be similar to those:
For the docker files,
From ubuntu:22.04would becomeFrom ubuntu:22.04@sha256:ac58ff7fe25edc58bdf0067ca99df00014dbd032e2246d30a722fa348fd799a5For the GitHub Actions,
- uses: microsoft/setup-msbuild@v1would become- uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c # v1.3.1I can submit one PR for each type of change above to be easier to review if you prefer. Just let me know if that's the case.
It would make it a bit more difficult to manually update the versions, but Dependabot is able to do it automatically -- and it also makes sure to keep the human-readable version as a comment 😄 . Do you already have Dependabot enabled? I've found this dependabot PR, but haven't found the dependabot.yml file, so I couldn't tell.
Both changes are recommended by security tools like Scorecard. The GitHub Actions change are also recommended by GitHub itself, and you can read about a practical impact of the Docker image change on this blogpost.
Thanks!
The text was updated successfully, but these errors were encountered: