You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I'm Diogo and I'm back (see #1878) hoping to offer a bit more help with security enhancements.
This time I'd like to ask if you are interested in a PR to hash pin the Actions you call in your GitHub Workflows, and the docker images you use on your docker files. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits.
The changes would be similar to those:
For the docker files, From ubuntu:22.04 would become From ubuntu:22.04@sha256:ac58ff7fe25edc58bdf0067ca99df00014dbd032e2246d30a722fa348fd799a5
For the GitHub Actions, - uses: microsoft/setup-msbuild@v1 would become - uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c # v1.3.1
I can submit one PR for each type of change above to be easier to review if you prefer. Just let me know if that's the case.
It would make it a bit more difficult to manually update the versions, but Dependabot is able to do it automatically -- and it also makes sure to keep the human-readable version as a comment 😄 . Do you already have Dependabot enabled? I've found this dependabot PR, but haven't found the dependabot.yml file, so I couldn't tell.
Both changes are recommended by security tools like Scorecard. The GitHub Actions change are also recommended by GitHub itself, and you can read about a practical impact of the Docker image change on this blogpost.
Thanks!
The text was updated successfully, but these errors were encountered:
Hi! I'm coming back here to close this issue because I recognized that the changes I suggested wouldn't directly improve Security because of the following reasons:
Your GitHub Actions are being called with read-only permissions and without exposing any secrets. If of any interest, you can read more about this discussion on this Scorecard issue.
Your docker file appears to be used only for development purposes (i.e., not used on production nor on sensitive CI/CD pipelines)
That said, keeping those dependencies tag-pinned can actually be beneficial given their automatic update bring flexibility for the tests and reduce the burden of updating their version often.
Hi! I'm Diogo and I'm back (see #1878) hoping to offer a bit more help with security enhancements.
This time I'd like to ask if you are interested in a PR to hash pin the Actions you call in your GitHub Workflows, and the docker images you use on your docker files. This is the only way to guarantee that you're using an immutable version of the code, which might protect you from tags being moved to malicious or buggy commits.
The changes would be similar to those:
For the docker files,
From ubuntu:22.04
would becomeFrom ubuntu:22.04@sha256:ac58ff7fe25edc58bdf0067ca99df00014dbd032e2246d30a722fa348fd799a5
For the GitHub Actions,
- uses: microsoft/setup-msbuild@v1
would become- uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c # v1.3.1
I can submit one PR for each type of change above to be easier to review if you prefer. Just let me know if that's the case.
It would make it a bit more difficult to manually update the versions, but Dependabot is able to do it automatically -- and it also makes sure to keep the human-readable version as a comment 😄 . Do you already have Dependabot enabled? I've found this dependabot PR, but haven't found the dependabot.yml file, so I couldn't tell.
Both changes are recommended by security tools like Scorecard. The GitHub Actions change are also recommended by GitHub itself, and you can read about a practical impact of the Docker image change on this blogpost.
Thanks!
The text was updated successfully, but these errors were encountered: