dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard

Published 20 hours ago • verified publisher icon dependabot

Add option for GH actions to prefer SHA pins

Open ThiefMaster opened this issue 1 year ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Feature description

It's painful or requires 3rd party tools to convert a GitHub actions config file from tag/branch pins to the (more secure) SHA pins.

It would be nice if there was a setting in the dependabot config to prefer SHA pins. This would trigger a dependabot 'update' that replaces the named pins with SHA pins, and add a comment indicating the actual version as well.

ThiefMaster avatar Aug 28 '23 13:08 ThiefMaster

Pin actions by default, to match GitHub's own recommendations

The GitHub Docs, Security Hardening for GitHub Actions, Using third-party actions recommends users:

  • Pin actions to a full length commit SHA

    Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Users may never read these docs, or forget to pin the actions manually, so that Dependabot can update the pins later.

Dependabot should default to pinning the GitHub Actions, and allow users to opt-out with a configuration toggle.

Here's how that could look:

  1. Dependabot opens a special "Pin actions PR" as preparation for later updates
  2. Dependabot will offer updates of pinned actions via the normal schedule/rules
  3. Users that do not want pinning can opt-out via some configuration option/toggle

Why Dependabot should default to pinning actions

@JamieMagee opened a PR that pins your Github Actions to the commit SHA:

  • #9755

If even the maintainers of Dependabot accidentally forgot to pin their actions, then others will likely forget too. I don't mean this in a bad way, or to shame you, or anything like that! :wink:

Related issue

  • #7912

HonkingGoose avatar May 17 '24 13:05 HonkingGoose

+1 for this requested feature; is this on the roadmap anywhere?

ModeSevenIndustrialSolutions avatar Oct 15 '24 07:10 ModeSevenIndustrialSolutions