Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(github-workflows): use official GitHub action for token generation #419

Merged
merged 3 commits into from
Dec 11, 2024

Conversation

bthuilot
Copy link
Contributor

What does this PR do?

  • Replaces usage of tibdex/github-app-token with official GitHub action

Signed-off-by: Bryce Thuilot <bryce.thuilot@datadoghq.com>
@bthuilot bthuilot requested a review from a team as a code owner December 10, 2024 20:12
.github/workflows/test_integration.yml Show resolved Hide resolved
.github/workflows/approved_status.yml Show resolved Hide resolved
.github/workflows/test.yml Show resolved Hide resolved
.github/workflows/prepare_release.yml Show resolved Hide resolved
.github/workflows/release.yml Show resolved Hide resolved
@bthuilot
Copy link
Contributor Author

Dismissing "pin by tag" due to sensitivity of action and lack of dependabot

@jack-edmonds-dd jack-edmonds-dd merged commit a54aae3 into master Dec 11, 2024
10 checks passed
@jack-edmonds-dd jack-edmonds-dd deleted the bryce.thuiilot/vuln-9301 branch December 11, 2024 15:01
@@ -30,10 +30,10 @@ jobs:
- name: Get GitHub App token
if: github.event_name == 'pull_request'
id: get_token
uses: tibdex/github-app-token@v2.1.0
uses: actions/create-github-app-token@v1

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Workflow depends on a GitHub actions pinned by tag (...read more)

When using a third party action, one needs to provide its GitHub path (owner/project) and can eventually pin it to a Git ref (a branch name, a Git tag, or a commit hash).

No pinned Git ref means the action uses the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a Git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state.

Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks.

Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible.

View in Datadog  Leave us feedback  Documentation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants