Unpinned Actions Full Length Commit SHA
- Query id: 555ab8f9-2001-455e-a077-f2d0f41e2fb9
- Query name: Unpinned Actions Full Length Commit SHA
- Platform: CICD
- Severity: Low
- Category: Supply-Chain
- CWE: 829
- URL: Github
Description¶
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
name: test-positive
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- master
jobs:
test-positive:
runs-on: ubuntu-latest
steps:
- name: PR comment
uses: thollander/actions-comment-pull-request@v2
with:
comment_tag: title_check
mode: recreate
create_if_not_exists: true
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
name: test-positive
on:
pull_request:
types: [opened, synchronize, edited, reopened]
branches:
- master
jobs:
test-positive:
runs-on: ubuntu-latest
steps:
- name: PR comment
uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
with:
comment_tag: title_check
mode: recreate
create_if_not_exists: true