Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KB] Add KB for xt0rted/dotnet-sdk-updater #372

Closed
step-security-bot opened this issue Feb 26, 2022 · 7 comments · Fixed by #421
Closed

[KB] Add KB for xt0rted/dotnet-sdk-updater #372

step-security-bot opened this issue Feb 26, 2022 · 7 comments · Fixed by #421
Labels
knowledge-base Add Action KBs

Comments

@step-security-bot
Copy link
Contributor

Knowledge Base is missing for xt0rted/dotnet-sdk-updater.
@step-security-bot step-security-bot added the knowledge-base Add Action KBs label Feb 26, 2022
@github-actions
Copy link

This action's action.yml & README.md doesn't contains any reference to GITHUB_TOKEN

@varunsh-coder varunsh-coder reopened this Mar 8, 2022
@github-actions
Copy link

github-actions bot commented Mar 8, 2022

This action's action.yml & README.md doesn't contains any reference to GITHUB_TOKEN

action-security.yml

name: "dotnet sdk updater" # xt0rted/dotnet-sdk-updater
# GITHUB_TOKEN not used

@github-actions github-actions bot mentioned this issue Mar 8, 2022
Closed
@xt0rted
Copy link

xt0rted commented Mar 8, 2022

This action doesn't use the API. It does call out to a Microsoft server to get version information for .net sdks, but it doesn't hit GitHub's api for anything.

@varunsh-coder
Copy link
Member

This action doesn't use the API. It does call out to a Microsoft server to get version information for .net sdks, but it doesn't hit GitHub's api for anything.

Thanks @xt0rted for the confirmation! We do some automated analysis and that had the same conclusion. I am curious how you got to know about this issue?

We are planning to create an issue in the Action repo to let owners of Actions know about this in the future, but I don't think that work is done yet...

@varunsh-coder varunsh-coder reopened this Mar 9, 2022
@github-actions
Copy link

github-actions bot commented Mar 9, 2022

This action's action.yml & README.md doesn't contains any reference to GITHUB_TOKEN

action-security.yml

name: "dotnet sdk updater" # xt0rted/dotnet-sdk-updater
# GITHUB_TOKEN not used

@step-security-bot step-security-bot mentioned this issue Mar 9, 2022
Merged
@xt0rted
Copy link

xt0rted commented Mar 9, 2022

@varunsh-coder I was told about this action while setting up a workflow for jsx-eslint/eslint-plugin-react#3223 and ran a couple of my workflows through https://app.stepsecurity.io/ to see what changes it recommended. One of my actions had an issue opened on it, but this one didn't.

@varunsh-coder
Copy link
Member

@varunsh-coder I was told about this action while setting up a workflow for yannickcr/eslint-plugin-react#3223 and ran a couple of my workflows through https://app.stepsecurity.io/ to see what changes it recommended. One of my actions had an issue opened on it, but this one didn't.

Thanks @xt0rted for the info! Please let me know if you have feedback on any of these projects. I am specially interested to know how to message harden-runner better. How was your experience using it? How can we improve the messaging to make it easier to understand? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
knowledge-base Add Action KBs
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add KB for issue372 step-security/secure-repo
Add KB for issue372 step-security/secure-repo
3 participants
@xt0rted @varunsh-coder @step-security-bot