## Description I would like to suggest a security practice recommended by the [OpenSSF Scorecard][scorecard-repo] which is to hash pin dependencies to prevent typosquatting and tag renaming attacks. The change would only be applied to GitHub workflows. This means hash pinning GitHub Workflow actions. Along with hash-pinning dependencies, I also recommend adopting dependabot (or other dependency update tool) to help keep the dependencies up to date. Most tools can update hashes and associated semantic version comments. Any questions or concerns just let me know. Thanks! ## Additional Context A tag renaming attack is a type of attack whereby an attacker: - Hijack an action. - Upload a malicious version. - Replace existing tags with malicious versions. A [typosquatting attack][typosquatting] is a type of attack whereby an attacker: - Create a malicious package - Publish it with a similar name of a known package (example: numpi instead of numpy) For more informations about the dependency-update tools: - [Dependabot][dependabot] [scorecard-repo]: https://github.com/ossf/scorecard [deps-confusion]: https://www.websecuritylens.org/how-dependency-confusion-attack-works-and-how-to-prevent-it/ [typosquatting]: https://snyk.io/blog/typosquatting-attacks/ [dependabot]: https://github.blog/2020-06-01-keep-all-your-packages-up-to-date-with-dependabot/ [renovatebot]:https://www.mend.io/renovate/ PiperOrigin-RevId: 561019142pull/13765/head
parent
332352113c
commit
da398bd4c2
3 changed files with 10 additions and 2 deletions
@ -0,0 +1,8 @@ |
||||
version: 2 |
||||
updates: |
||||
- package-ecosystem: "github-actions" # Necessary to update action hashs |
||||
directory: "/" |
||||
schedule: |
||||
interval: "weekly" |
||||
# Allow up to 3 opened pull requests for github-actions versions |
||||
open-pull-requests-limit: 3 |
Loading…
Reference in new issue