[Bug 66658] New: Reference GitHub Actions and Docker Images by SHA

Mon, 19 Jun 2023 09:39:03 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=66658

            Bug ID: 66658
           Summary: Reference GitHub Actions and Docker Images by SHA
           Product: Tomcat 11
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Packaging
          Assignee: dev@tomcat.apache.org
          Reporter: diogote...@google.com
  Target Milestone: -------

Hi!

I'm Diogo and I work on Google's Open Source Security
Team([GOSST](https://github.com/diogoteles08#about-gosst-ghost)) in cooperation
with the Open Source Security Foundation ([OpenSSF](https://openssf.org/)). My
core job is to suggest and implement security changes on widely used open
source projects 😊

I'm here to ask if you are interested in a PR to hash pin the Actions you call
in your GitHub Workflows, and the docker images you use on your docker files.
This is the only way to guarantee that you're using an immutable version of the
code, which might protect you from tags being moved to malicious or buggy
commits. 

The changes would be similar to those:

For the docker files, `From busybox:glibc` would become `From
busybox:glibc@sha256:2a6835efa6f7ba15d30e1118e72e9ba180e4ae8253bfe80e97628df85f3aad8f`

For the GitHub Actions, `- uses: actions/setup-java@v3` would become
`- uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0`

It would make it a bit more difficult to manually update the versions, but
Dependabot is able to do it automatically -- and it also makes sure to keep the
human-readable version as a comment 😄 . Do you already have Dependabot enabled?
I've found this [dependabot PR](https://github.com/apache/tomcat/pull/603), but
haven't found the dependabot.yml file, so I couldn't tell.

Both changes are recommended by security tools like
[Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies).
The GitHub Actions change are also recommended by [GitHub
itself](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions),
and you can read  about a practical impact of the Docker image change on this
[blogpost](https://rockbag.medium.com/why-you-should-pin-your-docker-images-with-sha-instead-of-tags-fd132443b8a6).
 

Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to