aquasecurity / trivy-action

Runs Trivy as GitHub action to scan your Docker container image for vulnerabilities
Apache License 2.0
828 stars 239 forks source link

Allow pinning setup-trivy by hash #423

Open smola opened 2 weeks ago

smola commented 2 weeks ago

I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of https://github.com/aquasecurity/trivy-action/pull/406, it is not possible to do this anymore, since it internally fetches aquasecurity/setup-trivy by tag, and there does not seem to be any way to override that. Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.

simar7 commented 2 weeks ago

Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.

Could you expand more on this, where does this passlisting happen? Is it a GitHub requirement?

smola commented 2 weeks ago

Yes. GitHub Actions settings have an optional passlist. It is possible to passlist a tag too, but some projects try to rely as much as possible on actions references by commit hash (branches and tags can be arbitrarily rewritten). This reduces the attack surface for supply chain attacks through compromised GitHub Actions.

smola commented 2 weeks ago

This could also be fixed by using a commit hash reference in action.yml for setup-trivy. Users who do not restrict their referenced Actions will not notice the difference. Those who enforce commit hash pinning will be able to do so.