Lack of a "proper" Github Action prevents pinning to specific versions as hardening advice recomments. #820
Labels
tabled
We like this idea, but we are not going to action on it in the moment
Comments
jlperkins
added
needs triage
|
Thank you for pointing this out. We agree with your findings, but will not action on this yet. If our GitHub Action becomes higher priority for us in the future, we may choose to take this work on. |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Best practice in actions these days is to pin an action to its sha commit number. This prevents problems when an attacker compromises an action and releases a newer version with dodgy code.
The github actions instructions show there's no marketplace action at all for the SBOM tool, which means you can't follow the recommended best practices for third party actions.
The instructions to just curl down the latest release present the same risk that pinning an action would avoid (assuming any action you publish also downloads a specific version, rather than just latest).
While you could reduce the risk by having sbom generation run in a separate action, and upload its own artifact that way this is a bunch of work for a lot of people which could be avoid if you'd publish a marketplace action instead. Additionally, an action would also tie into dependabot nicely, giving users a notification, and appropriate PR when a new version is published.
The text was updated successfully, but these errors were encountered: