-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow pinning setup-trivy by hash #423
Comments
Could you expand more on this, where does this passlisting happen? Is it a GitHub requirement? |
Yes. GitHub Actions settings have an optional passlist. It is possible to passlist a tag too, but some projects try to rely as much as possible on actions references by commit hash (branches and tags can be arbitrarily rewritten). This reduces the attack surface for supply chain attacks through compromised GitHub Actions. |
This could also be fixed by using a commit hash reference in action.yml for setup-trivy. Users who do not restrict their referenced Actions will not notice the difference. Those who enforce commit hash pinning will be able to do so. |
I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of #406, it is not possible to do this anymore, since it internally fetches
aquasecurity/setup-trivy
by tag, and there does not seem to be any way to override that. Even ifskip-setup-trivy: true
is set, it seems GitHub will require passlisting the tag version.The text was updated successfully, but these errors were encountered: