emscripten-core / emsdk

Emscripten SDK
http://emscripten.org
Other
3.02k stars 688 forks source link

Hash-pin images used in the Dockerfile #1243

Closed pnacht closed 1 year ago

pnacht commented 1 year ago

Hey, I'm back (see #1224) with another security suggestion!

Docker image tags are mutable and can therefore be modified by malicious actors. A solution is to pin the image to a hash instead. This ensures the image will always do what you expect.

The images can be kept up-to-date with dependabot. Whenever a new version of an Action is released, you'll receive a PR updating its hash (see my fork's PR for an example).

I'll send a PR along with this issue to pin the images and set up dependabot to keep an eye on them.

sbc100 commented 1 year ago

closing for now, we can revisit if needed.