shields icon indicating copy to clipboard operation
shields copied to clipboard

Published 20 hours ago verified publisher icon badges

Linting for GitHub actions

Open chris48s opened this issue 1 year ago • 3 comments

:clipboard: Description

Follow up from https://github.com/badges/shields/pull/9542

We make extensive use of GitHub actions and workflows. They're a huge productivity boost.

Simultaneously, there are some foot guns and security considerations. https://github.com/badges/shields/pull/9542 highlights one of these.

This was an issue I was previously aware of https://github.com/badges/shields/blob/1d9a6b0f80b3c3a958f02ebedae60840020ba991/.github/actions/service-tests/action.yml#L47-L57 but I missed it in the review of https://github.com/badges/shields/pull/9386

Can we adopt some automated tooling that would flag issues like this and help us to fall into the pit of success here? One option is https://github.com/rhysd/actionlint I've not tried it out yet but it looks like this would have caught that issue in CI. Are there other options we should evaluate?

chris48s avatar Sep 04 '23 10:09 chris48s

I gave it a quick search and couldn't find a better fitting repo, Its the first time i see actionlint tho so I can't tell much about it. I am for adding a linter to github actions changes. I might run it in my fork to test it out later.

jNullj avatar Sep 04 '23 10:09 jNullj

Other options you may want to consider,

  1. semgrep with github-actions rules (personally tested, does pretty good job )
  2. checkov with github_actions framework

arunstar avatar Sep 05 '23 19:09 arunstar

Seems like there's some good 3rd party options out there based on what's been shared here, though the more I think about it the more I'm surprised GitHub doesn't have something built into the platform that highlights such known issues in real time :thinking:

calebcartwright avatar Apr 09 '24 19:04 calebcartwright