Security: pin GitHub Actions to SHA hashes#281
Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
Codacy analysis indicates this PR is not up to standards, primarily due to a high-severity security vulnerability. While the PR successfully pins most GitHub Actions to SHA hashes as intended, it misses one specific action in the auto-merge.yml workflow, leaving a gap in the supply chain security hardening.
More critically, the auto-merge.yml workflow uses a high-risk combination of pull_request_target and manual checkout of untrusted PR code, which exposes the repository to potential secret exfiltration or unauthorized changes. Additionally, the comment_issue.yml workflow uses a deprecated Node 12 runtime and contains script injection vulnerabilities. These security and compliance issues should be resolved before merging.
About this PR
- The implementation is incomplete. While the PR title and description aim to pin GitHub Actions to SHA hashes,
ahmadnassri/action-dependabot-auto-merge@v2in.github/workflows/auto-merge.ymlwas overlooked. To achieve the security benefits of immutable references, all external actions must be pinned.
Test suggestions
- Verify 'actions/checkout' is pinned to a SHA hash with version comment in auto-merge.yml
- Verify 'actions/github-script' is pinned to a SHA hash with version comment across all workflows
- Verify 'atlassian/gajira-login' is pinned to a SHA hash with version comment across all workflows
- Verify 'atlassian/gajira-create' is pinned to a SHA hash with version comment in creation workflows
- Verify 'atlassian/gajira-comment' is pinned to a SHA hash with version comment in comment_issue.yml
- Verify 'ahmadnassri/action-dependabot-auto-merge' is pinned to a SHA hash in auto-merge.yml
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'ahmadnassri/action-dependabot-auto-merge' is pinned to a SHA hash in auto-merge.yml
🗒️ Improve review quality by adding custom instructions
| if: github.actor == 'dependabot[bot]' | ||
| steps: | ||
| - uses: actions/checkout@v2 | ||
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 |
There was a problem hiding this comment.
🔴 HIGH RISK
The combination of pull_request_target and checking out the PR head is a security risk. It allows potentially untrusted code to run with the permissions of the base repository (privileged GITHUB_TOKEN). Since this is for auto-merging, consider using GitHub's native auto-merge feature which can be triggered via a standard pull_request event and doesn't require checking out the PR code manually.
Try running the following prompt in your IDE agent:
Refactor the
auto-mergeworkflow to use the native GitHub CLIgh pr merge --autocommand within a standardpull_requesttrigger to eliminate the security risks associated withpull_request_targetand head checkout.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
This action is pinned to an old version (v2.0.0) that uses the deprecated Node 12 runtime. Upgrade to v7 to ensure compatibility with modern GitHub runners. Additionally, avoid using ${{ ... }} interpolation inside the script block as it creates a risk of script injection; use environment variables and process.env instead.
Try running the following prompt in your coding agent:
Refactor the actions/github-script steps in .github/workflows/comment_issue.yml to use environment variables for accessing GitHub context data instead of using inline interpolation.
.github/workflows/auto-merge.yml
Outdated
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} | ||
| - uses: ahmadnassri/action-dependabot-auto-merge@v2 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: The action ahmadnassri/action-dependabot-auto-merge@v2 is still using a mutable tag. To satisfy the security hardening requirements and maintain consistency with the rest of this PR, please pin it to a specific SHA hash.
Try running the following prompt in your IDE agent:
Find the specific SHA hash for
ahmadnassri/action-dependabot-auto-merge@v2and update line 14 in.github/workflows/auto-merge.ymlto use it instead of the version tag.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
7e8c70f to
f5c14b5
Compare
2 participants
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.