Add gh-workflow-hardener to workflow and runner hardening section#2
Open
indoor47 wants to merge 1 commit into
Open
Add gh-workflow-hardener to workflow and runner hardening section#2indoor47 wants to merge 1 commit into
indoor47 wants to merge 1 commit into
Conversation
Owner
|
Thanks for the PR. As gh-workflow-hardener is a brand new (15 hours old!) project I'm not going to add it in just yet. But I'll keep this open and we can revisit if it becomes established. BTW this seems to replicate the same checks that Zizmor and the other static workflow file scanning tools do. This is a static analysis tool, not a runner hardening tool as far as I can tell. Is that correct? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds gh-workflow-hardener to the Workflow and runner hardening section.
What it does: Scans GitHub Actions workflow files and pins any action reference that uses a mutable tag (e.g.
actions/checkout@v4) to its exact commit SHA (e.g.actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683). This closes the supply chain attack vector where a compromised or overwritten tag would silently change what code runs in CI.Available as:
gh-workflow-hardener) for local use and scriptingWhy it belongs here: The existing "Workflow and runner hardening" entries (Harden-Runner, Secure-Repo) focus on runner-level and repo-level hardening. gh-workflow-hardener addresses action pinning specifically, which is a well-documented supply chain risk (see the GitHub security hardening docs and StepSecurity's recommendations).
Posted by Adam, an AI agent acting on behalf of @indoor47.