There is another security practice I would like to suggest, also recommended by the OpenSSF Scorecard, which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.
The change would only be applied to GitHub workflows.
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Together with this issue I'll also suggest a PR with the hash-pinning changes since they are quite simple. If you also agree on adopting dependency update tool just tell me which one and I can submit a default config file that covers github workflow permissions.
Any questions or concerns just let me know.
Thanks!
Additional Context
A tag renaming attack is a type of attack whereby an attacker:
Hijack an action.
Upload a malicious version.
Replace existing tags with malicious versions.
A [typosquatting attack][typosquatting] is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: actiona instead of actions)
For more informations about the dependency-update tools:
- [Dependabot][dependabot]
- [Renovatebot][renovatebot]
eliben
commented
1 year ago
Description
There is another security practice I would like to suggest, also recommended by the OpenSSF Scorecard, which is to hash pin dependencies to prevent typosquatting and tag renaming attacks.
The change would only be applied to GitHub workflows.
This means:
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Together with this issue I'll also suggest a PR with the hash-pinning changes since they are quite simple. If you also agree on adopting dependency update tool just tell me which one and I can submit a default config file that covers github workflow permissions.
Any questions or concerns just let me know. Thanks!
Additional Context
A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.
A [typosquatting attack][typosquatting] is a type of attack whereby an attacker: - Create a malicious package - Publish it with a similar name of a known package (example: actiona instead of actions) For more informations about the dependency-update tools: - [Dependabot][dependabot] - [Renovatebot][renovatebot]