Releases · tehreet/pinpoint

25 Mar 16:46

tehreet

v0.7.0

cb9a767

v0.7.0 Latest

Latest

Docker Action Verification

Pinpoint is the first GitHub Actions security tool to verify Docker image digests.

New

Docker digest resolution: pinpoint lock captures image digests from OCI registries (ghcr.io, Docker Hub, quay.io)
Docker digest verification: pinpoint gate --integrity detects when a Docker image tag has been repointed to a different image
Dockerfile FROM parsing: Captures and verifies base image digests for Dockerfile-based actions
SHA-pinned ref verification (spec 023): SHA-pinned action refs are now verified against the lockfile when --fail-on-missing is active

Lockfile format

Docker actions now include a docker field with image, tag, digest, and source.

Attack coverage

10/10 attack battery (tag repoint, unknown action, branch-pinned ref, SHA swap, gate removal, typosquat, version bump, lockfile poisoning, new evil workflow, semver specificity)
Docker image tag repoint detection verified against live Docker Hub registry

264 tests, all passing. Zero new dependencies.

Assets 7

25 Mar 10:09

tehreet

v0.6.1

b0a7c1b

v0.6.1

Fix: SHA-pinned action bypass (spec 023)

SHA-pinned refs (e.g. actions/checkout@b4ffde6...) are now verified against
the lockfile when --fail-on-missing is active. Previously they were auto-skipped
as 'inherently safe', allowing an attacker to reference a malicious commit SHA.

Zero API calls added (pure manifest lookup)
Backward compatible (legacy mode preserves old behavior)
6 new tests

Assets 7

25 Mar 05:19

tehreet

v0.6.0

28f3348

v0.6.0

What's New

--all-workflows mode: Gate verifies all workflow files, not just the triggering one
--warn mode: Log violations without blocking, for phased rollout
inject command: Automatically add pinpoint gate steps to workflow files
--fail-on-missing: Block actions not in lockfile (auto-enabled with new lockfile path)
Bug fixes: trigger detector false positives, GPG scenario, progress logging

Full Changelog

25 commits since v0.5.0

Assets 7

22 Mar 05:46

tehreet

v0.5.0

eaacd12

v0.5.0: Content Integrity, Transitive Deps, On-Disk Verification

What's New

Content integrity hashes (spec 014): Every action in the lockfile now includes a SHA-256 hash of its tarball content. Proves the code hasn't changed, not just that the tag hasn't moved. Parallel downloads with 10-worker pool and deduplication.

Transitive dependency resolution (spec 014): Composite actions' inner uses: directives are discovered and tracked. The lockfile shows the full dependency tree. pinpoint lock --list prints it.

On-disk content verification (spec 015): pinpoint gate --on-disk hashes what the runner actually downloaded and compares to the lockfile. Eliminates TOCTOU race conditions. Adds 28ms of disk I/O, zero API calls. The first tool that verifies the code that's about to execute.

Performance benchmarks (spec 016): Go benchmarks for tarball throughput, tree hashing, and memory pressure. Streaming verified: 50MB tarball uses <10MB heap.

pinpoint lock command (spec 012): New top-level command. Default lockfile path is now .github/actions-lock.json. Gate auto-enforces when lockfile exists.