Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add actions security scanning #1114

Open
danielrbradley opened this issue Oct 31, 2024 · 0 comments
Open

Add actions security scanning #1114

danielrbradley opened this issue Oct 31, 2024 · 0 comments
Labels
impact/security kind/enhancement Improvements or new features

Comments

@danielrbradley
Copy link
Member

danielrbradley commented Oct 31, 2024

Investigate zizmor

Possible new tool: https://github.com/woodruffw/zizmor

Initial investigation PR:

The suggestions seem good and actionable, however, we need the ability to mark some findings are exempt before being able to integrate within PRs and fail the check.

Key upstream issues to wait for:

@pulumi-bot pulumi-bot added the needs-triage Needs attention from the triage team label Oct 31, 2024
@danielrbradley danielrbradley added impact/security kind/enhancement Improvements or new features and removed needs-triage Needs attention from the triage team labels Oct 31, 2024
github-merge-queue bot pushed a commit that referenced this issue Nov 1, 2024
Experimenting with the new [zizmor
tool](https://github.com/woodruffw/zizmor). There's still a number of
false-positives so probably not yet worth integrating into our CI run,
but have audited the current feedback.

Related to:
- #1114

## Only persist git credentials where we need to use them

- Don't leave these around when we don't need to.
- Explicitly set to true where we need them, with a comment highlighting
why we're keeping them.
- Fix a few places we weren't using the centrally managed checkout
version.
- Tweak the conditionals for submodules so the `with:` is always there
now.

## Use of fundamentally insecure workflow trigger -
`pull_request_target`

These appear ok because we're just using this to comment on community
PRs. These don't run builds

```
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> .github/workflows/community-moderation.yml:38:1
   |
38 | / on:
39 | |   pull_request_target:
...  |
42 | |     types:
43 | |     - opened
   | |_____________^ pull_request_target is almost always used insecurely
   |
```

```
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> .github/workflows/pull-request.yml:44:1
   |
44 | / on:
45 | |   pull_request_target: {}
   | |__________________________^ pull_request_target is almost always used insecurely
   |
```


## Code injection via template expansion

```
.github/workflows/master.yml
  env.COVERAGE_OUTPUT_DIR may expand into attacker-controllable code
```

This is not inputtable by a third party user. 

```
.github/workflows/prerequisites.yml
  inputs.default_branch may expand into attacker-controllable code
```

This is a workflow call (reusable workflow) and the input is always set
as `github.event.repository.default_branch`.

```
.github/workflows/upgrade-provider.yml
  github.event.inputs.version may expand into attacker-controllable code
  steps.upstream_version.outputs.latest_version may expand into attacker-controllable code
  github.repository may expand into attacker-controllable code
  steps.target_version.outputs.version may expand into attacker-controllable code
```

This can only be triggered by internal users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
impact/security kind/enhancement Improvements or new features
Projects
None yet
Development

No branches or pull requests

2 participants