step-security/secure-repo

Ensure pinned dependencies

sozercan opened this issue · 2 comments

It's awesome that secure repo pins dependencies like GHA. However, it is ideal to keep that hygiene to ensure new dependencies that are introduced must be pinned (bonus points if it can suggest hashes). It would be great to add an action like https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions as part of secure repo or harden runner.

If this issue is more suitable for harden-repo repo, please feel free to move it there.

Thanks @sozercan for creating the issue! secure-repo currently adds the https://github.com/ossf/scorecard-action which does find the pinned dependency issue and also token permissions issue. I am not sure if it runs on a PR though - @ashishkurmi this is something to look into.

There is also an open issue to run secure-repo as an Action/ CLI to auto-fix these issues when a new PR is created.
#583
#1230

@sozercan, please do suggest if you have ideas on adding additional tools via pull request using secure-repo. Here are some we are planning to do in the near future:
#2069
#2074
#2076