From 2154c138653efd6ee444a23ce502930c330cf5a0 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 28 Feb 2023 17:55:38 -0800 Subject: [PATCH] Pin actions to commit SHA (#10204) ## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot --- .github/workflows/build-and-push-fleetctl-docker.yml | 2 +- .github/workflows/deploy-fleet-website.yml | 2 +- .github/workflows/dogfood-deploy.yml | 4 ++-- .github/workflows/goreleaser-fleet.yaml | 2 +- .github/workflows/goreleaser-snapshot-fleet.yaml | 2 +- .github/workflows/tfvalidate.yml | 2 +- .github/workflows/trivy_scan.yml | 6 +++--- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-and-push-fleetctl-docker.yml b/.github/workflows/build-and-push-fleetctl-docker.yml index 47d0cd75d9..8da7ad968e 100644 --- a/.github/workflows/build-and-push-fleetctl-docker.yml +++ b/.github/workflows/build-and-push-fleetctl-docker.yml @@ -56,7 +56,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleetctl tags: ${{ inputs.image_tag }} diff --git a/.github/workflows/deploy-fleet-website.yml b/.github/workflows/deploy-fleet-website.yml index b4f1b6ed5e..f13f39616b 100644 --- a/.github/workflows/deploy-fleet-website.yml +++ b/.github/workflows/deploy-fleet-website.yml @@ -54,7 +54,7 @@ jobs: # Install the right version of Go for the Golang child process that we are currently using for CSR signing - name: Set up Go - uses: actions/setup-go@v3 + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: go-version: 1.19 diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml index 5f3cf4986c..3c838e53d2 100644 --- a/.github/workflows/dogfood-deploy.yml +++ b/.github/workflows/dogfood-deploy.yml @@ -49,11 +49,11 @@ jobs: - id: fail-on-main run: "false" if: ${{ github.ref == 'main' }} - - uses: aws-actions/configure-aws-credentials@v1 + - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 with: role-to-assume: ${{env.AWS_IAM_ROLE}} aws-region: ${{ env.AWS_REGION }} - - uses: hashicorp/setup-terraform@v2 + - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 with: terraform_version: 1.0.4 terraform_wrapper: false diff --git a/.github/workflows/goreleaser-fleet.yaml b/.github/workflows/goreleaser-fleet.yaml index 2d91bd75ba..393eda53a7 100644 --- a/.github/workflows/goreleaser-fleet.yaml +++ b/.github/workflows/goreleaser-fleet.yaml @@ -64,7 +64,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleet tags: ${{ steps.docker.outputs.TAG }} diff --git a/.github/workflows/goreleaser-snapshot-fleet.yaml b/.github/workflows/goreleaser-snapshot-fleet.yaml index 84ab28dc05..00fb10d694 100644 --- a/.github/workflows/goreleaser-snapshot-fleet.yaml +++ b/.github/workflows/goreleaser-snapshot-fleet.yaml @@ -65,7 +65,7 @@ jobs: - name: Push To quay.io id: push-to-quay - uses: redhat-actions/push-to-registry@v2 + uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 with: image: fleetdm/fleet tags: ${{ steps.docker.outputs.TAG }} diff --git a/.github/workflows/tfvalidate.yml b/.github/workflows/tfvalidate.yml index 18f875ae5c..331564b63b 100644 --- a/.github/workflows/tfvalidate.yml +++ b/.github/workflows/tfvalidate.yml @@ -34,7 +34,7 @@ jobs: uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b - name: Install terraform - uses: hashicorp/setup-terraform@v2.0.0 + uses: hashicorp/setup-terraform@17d4c9b8043b238f6f35641cdd8433da1e6f3867 # v2.0.0 with: terraform_version: 1.3.0 diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml index 7c41d726dc..bbfa763f42 100644 --- a/.github/workflows/trivy_scan.yml +++ b/.github/workflows/trivy_scan.yml @@ -9,10 +9,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252 # master with: scan-type: 'fs' ignore-unfixed: true @@ -24,6 +24,6 @@ jobs: security-checks: 'vuln' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.2.5 with: sarif_file: 'trivy-results.sarif'