Pin third-party actions to commit SHAs#7
Conversation
|
@kurtismash I also want to update all |
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. Pull Request Developer GuidanceIf the link to the Wiz scan details doesn't work, please ensure you are using the right role in Wiz and that the repository is assigned to the correct project within our Wiz Terraform. Or, you can ask for help in #tna-cloud-security on Slack. |
![wiz-2986343e2e[bot]](https://avatars.githubusercontent.com/in/2445763?s=60&v=4){kind=small}
| - name: Generate version tag | ||
| id: version-tag | ||
| uses: nationalarchives/ds-docker-actions/.github/actions/get-version-tag@main | ||
| uses: nationalarchives/ds-docker-actions/.github/actions/get-version-tag@main # zizmor: ignore[unpinned-uses] Owned by The National Archives |
There was a problem hiding this comment.
Workflow should not use branch-pinned third-party actions
on resource jobs.build.steps[1].uses
More Details
This rule checks that GitHub workflow does not use branch-pinned third-party actions. This rule fails when a workflow contains steps that use third-party actions referenced by branch names (like @main, @master, @develop) instead of specific commit SHAs. Using branch-pinned actions creates a significant security risk as branches are mutable references, allowing the action maintainer to modify the code that will be executed in future workflow runs without changing the referencing workflow file. This is particularly dangerous as it could lead to supply chain attacks where malicious code is introduced after your workflow is created. To prevent this risk, pin third-party actions to specific commit SHAs.
Expected
Workflow job 'build' step[1] should pin third-party action to a commit SHA or version tag rather than a branch
Found
Workflow job 'build' step[1] uses branch-pinned third-party action: 'nationalarchives/ds-docker-actions/.github/actions/get-version-tag@main'
Security Frameworks: wf-id-1, wf-id-175
Rule ID: 88c6171f-260e-4e65-929a-3dab36a97930
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
There was a problem hiding this comment.
#wiz_ignore Owned by The National Archives
There was a problem hiding this comment.
The finding has been successfully ignored for these checks.
If you'd like to ignore this finding in all future scans, you can add a matching exception in the .wiz file.
Learn more
2 participants
This PR pins third-party GitHub Actions to full commit SHAs for supply-chain security.
This has been done automatically by pinact. When reviewing please confirm that the SHAs are correct, zizmor will alert if not.
As a maintainer, please merge this PR once approved.