Security: Make SHA-pinning effective (e.g. allow pinning SHA of Docker image) about lychee-action HOT 12 CLOSED

Sure. Just released v1.0.9 now.

from lychee-action.

Hey @booyaa,
thanks for offering your help. That is a very interesting solution that is both easy to integrate, performant, and avoids a lot of manual work. I'd be happy to mention that workflow in the docs. Could you create a PR?

from lychee-action.

@mre To clarify the concern, it's in this line:

Pinning the action SHA as you mentioned earlier:

- name: Link Checker
  uses: lycheeverse/lychee-action@<sha>

prevents a silent attack from anything directly in the lychee-action repository, but since lychee-action specifies an unpinned Docker image, the user is still vulnerable if the lycheeverse/lychee:latest tag is changed to an attack, or an erroneous tinysearch push. 😉

Adding the current SHA to the first line of the Dockerfile would prevent this:

 FROM lycheeverse/lychee:latest@sha256:...

The dependabot solution @booyaa mentions sounds interesting if it can be made to work for updating that SHA.

from lychee-action.

Will write something up next Tuesday!

from lychee-action.

Would it be possible to release a new version of this action where latest docker image isn't pulled? The above change to pin to a specific version in master branch means that users have to use lycheeverse/lychee-action@master to avoid breaking changes in the lychee binary, but this means they're also vulnerable to breaking changes in this repo. It would be great to have a version of the action that's not vulnerable to these kind of changes.

from lychee-action.

That's great, thanks @mre

from lychee-action.

Oh I didn't know that was possible.

Just tested; this works as expected:

docker pull lycheeverse/lychee:0.5.1-alpha@sha256:efe2bf21aca4acaf3449fcd432a0ed49ccf33c0ee9ae5c94849d5a3d430392ec

But I'm not sure I understand.
lychee-action is not pulling Docker images directly afaik? The Docker image gets pulled by Github Actions on build.
So wouldn't it be enough if people added the SHA themselves like so?

- name: Link Checker
  uses: lycheeverse/[email protected]@sha256:...

It's likely that I'm missing something.

from lychee-action.

@mre I think you're right in that people using the action should do this themselves. Perhaps update the documentation? I'd be willing to have a crack at it.

Read a bit more about this security hardening strategy and it looks like people using the actions can use dependabot to automatically patch with the sha digest: https://francoisbest.com/posts/2020/the-security-of-github-actions

It's a relatively easy thing to apply

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates

version: 2
updates:
  - package-ecosystem: "github-actions" # See documentation for possible values
    directory: ".github/workflows" # Location of package manifests
    schedule:
      interval: "daily"

from lychee-action.

Any updates on this @booyaa? 😄

from lychee-action.

Hello there, I came here to submit a similar issue and saw this one 😃

@mre To clarify the concern, it's in this line:

lychee-action/Dockerfile

Line 1 in 58f63c6

FROM lycheeverse/lychee:latest

Unfortunately I'm a victim of this. In my case, there's nothing to worry about security but my CI failed out of nowhere today. It seems like lychee-action is just pulling the latest lychee and this causes new versions to be used as default. I can't really find a workaround for this because latest is been there since lychee-action v1.0.1. (71f60db)

I think it'd be best to apply @trevyn's suggestion (and maybe set a specific lychee version in Dockerfile?).

from lychee-action.

Yup, makes sense. Would you help me out here and send a PR? 😅

from lychee-action.

Glad to help. 😊
I think we can close this. I've created a PR for mentioning dependabot in #48.

from lychee-action.