Skip to content

Commit

Permalink
Add basic remediation for dockerfile pinning
Browse files Browse the repository at this point in the history
  • Loading branch information
spencerschrock committed Jul 13, 2022
1 parent 5f3df14 commit 1c99e0a
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 2 deletions.
11 changes: 9 additions & 2 deletions checks/evaluation/pinned_dependencies.go
Original file line number Diff line number Diff line change
Expand Up @@ -136,10 +136,17 @@ func PinningDependencies(name string, dl checker.DetailLogger,
}

func generateRemediation(rr *checker.Dependency) *checker.Remediation {
if rr.Type == checker.DependencyUseTypeGHAction {
switch rr.Type {
case checker.DependencyUseTypeGHAction:
return remediation.CreateWorkflowPinningRemediation(rr.Location.Path)
case checker.DependencyUseTypeDockerfileContainerImage:
if rr.Name == nil {
return nil
}
return remediation.CreateDockerfilePinningRemediation(*rr.Name)
default:
return nil
}
return nil
}

func updatePinningResults(rr *checker.Dependency,
Expand Down
19 changes: 19 additions & 0 deletions remediation/remediations.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"strings"
"sync"

"github.com/google/go-containerregistry/pkg/crane"

"github.com/ossf/scorecard/v4/checker"
"github.com/ossf/scorecard/v4/clients"
)
Expand All @@ -37,6 +39,7 @@ var (
workflowText = "update your workflow using https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s"
//nolint
workflowMarkdown = "update your workflow using [https://app.stepsecurity.io](https://app.stepsecurity.io/secureworkflow/%s/%s/%s?enable=%s)"
dockerfileText = "pin your Docker image (%[1]s). For linux/amd64 update to %[1]s@%s"
)

//nolint:gochecknoinits
Expand Down Expand Up @@ -95,3 +98,19 @@ func createWorkflowRemediation(path, t string) *checker.Remediation {
HelpMarkdown: markdown,
}
}

// CreateDockerfilePinningRemediation create remediaiton for pinning Dockerfile images.
func CreateDockerfilePinningRemediation(image string) *checker.Remediation {
hash, err := crane.Digest(image)
if err != nil {
return nil
}

text := fmt.Sprintf(dockerfileText, image, hash)
markdown := text

return &checker.Remediation{
HelpText: text,
HelpMarkdown: markdown,
}
}

0 comments on commit 1c99e0a

Please sign in to comment.