terriko
commented
1 year ago Confirmed that this works (because it did a PR for me on one of the repos pinned by hash) so we should be good to enable this.
Closed terriko closed 1 year ago
terriko
commented
1 year ago Confirmed that this works (because it did a PR for me on one of the repos pinned by hash) so we should be good to enable this.
One of the recommendations we're getting from the OpenSSF Scorecard is that we pin all the github actions workflows we're using using hashes instead of version tags (because tags could be changed but hashes would be harder to forge).
You can see how they have it done in the dependency review workflow I'm trying out: https://github.com/intel/cve-bin-tool/blob/main/.github/workflows/dependency-review.yml
I wasn't sure offhand how this will interact with our existing workflow upgrade stuff, so I didn't want to blindly merge the "fixes" given by their automated tool until I had some idea if they could play together. So I've merged the other changes but didn't have the tool generate the hash configs for now.
If anyone wants to experiment with the tool, here's a link: https://app.stepsecurity.io/securerepo
Looking at it now, it looks like we're handling our workflow updates through dependabot:
https://github.com/intel/cve-bin-tool/blob/main/.github/dependabot.yml#LL6C1-L9C9
I feel like this is something dependabot should handle but I'm not sure it does, so a bit of research is required.