The check on the headlamp OpenSSF scorecard identifies a number of dependencies where we don't pin the version hash.
Pinned dependencies reduce several security risks:
They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility.
They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised).
They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.
Info: 3 out of 69 GitHub-owned GitHubAction dependencies pinned
Info: 1 out of 19 third-party GitHubAction dependencies pinned
Info: 0 out of 9 containerImage dependencies pinned
Info: 1 out of 7 npmCommand dependencies pinned
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:21
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:25
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:28
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:38
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:45
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-linux.yml:52
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:25
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:29
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:36
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:63
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:77
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:81
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:89
Warn: third-party GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:95
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:135
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:151
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-mac.yml:159
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:26
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:29
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:35
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:42
Warn: third-party GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:48
Warn: third-party GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:53
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app-artifacts-win.yml:92
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:31
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:33
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:36
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:48
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:50
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:53
Warn: third-party GitHubAction not pinned by hash: .github/workflows/app.yml:57
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:68
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:70
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/app.yml:73
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backend-test.yml:20
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backend-test.yml:24
Warn: third-party GitHubAction not pinned by hash: .github/workflows/backend-test.yml:34
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backend.yml:28
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/backend.yml:34
Warn: third-party GitHubAction not pinned by hash: .github/workflows/backend.yml:37
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-container.yml:28
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-container.yml:29
Warn: third-party GitHubAction not pinned by hash: .github/workflows/build-container.yml:33
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-container.yml:39
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-container.yml:152
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build-container.yml:156
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/container-publish.yml:30
Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish.yml:32
Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish.yml:72
Warn: third-party GitHubAction not pinned by hash: .github/workflows/container-publish.yml:78
Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-extension-release.yml:21
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-extension-release.yml:26
Warn: third-party GitHubAction not pinned by hash: .github/workflows/draft-release.yml:22
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:62
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:65
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:88
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:91
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:114
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:117
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:136
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:139
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:158
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:161
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:35
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/frontend.yml:38
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-lint-test.yml:17
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-lint-test.yml:22
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-lint-test.yml:26
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-lint-test.yml:31
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-lint-test.yml:45
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yml:25
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yml:35
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-release.yml:38
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-template-test.yml:17
Warn: third-party GitHubAction not pinned by hash: .github/workflows/helm-chart-template-test.yml:22
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/helm-chart-template-test.yml:26
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-chart.yml:25
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-homebrew.yml:22
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-homebrew.yml:46
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-minikube.yml:26
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-minikube.yml:50
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-winget.yml:15
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-winget.yml:33
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pr-to-update-winget.yml:56
Warn: containerImage not pinned by hash: Dockerfile:4
Warn: containerImage not pinned by hash: Dockerfile:6
Warn: containerImage not pinned by hash: Dockerfile:30
Warn: containerImage not pinned by hash: Dockerfile:43
Warn: containerImage not pinned by hash: Dockerfile:67
Warn: containerImage not pinned by hash: Dockerfile:75
Warn: containerImage not pinned by hash: Dockerfile.plugins:2
Warn: containerImage not pinned by hash: Dockerfile.plugins:28: pin your Docker image by updating alpine:latest to alpine:latest@sha256:b89d9c93e9ed3597455c90a0b88a8bbb5cb7188438f70953fede212a0c4394e0
Warn: containerImage not pinned by hash: docker-extension/Dockerfile:1
Warn: npmCommand not pinned by hash: Dockerfile:41
Warn: npmCommand not pinned by hash: plugins/headlamp-plugin/install-dependencies.sh:9
Warn: npmCommand not pinned by hash: plugins/headlamp-plugin/test-plugins-examples.sh:16
Warn: npmCommand not pinned by hash: .github/workflows/build-container.yml:56
Warn: npmCommand not pinned by hash: .github/workflows/build-container.yml:60
Warn: npmCommand not pinned by hash: .github/workflows/pr-to-update-winget.yml:41
Pinned dependencies reduce several security risks:
They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility.
They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised).
They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.
The check on the headlamp OpenSSF scorecard identifies a number of dependencies where we don't pin the version hash.
More details at the explanation for this issue
Best practice for pinning github actions
Note how the hash is used, and then a comment is used for the version number.
The issues identified at time of writing.
Check the scorecard for an updated daily list.
Pinned dependencies reduce several security risks:
They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility. They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised). They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.