Ensure pinned dependencies
sozercan opened this issue · 2 comments
It's awesome that secure repo pins dependencies like GHA. However, it is ideal to keep that hygiene to ensure new dependencies that are introduced must be pinned (bonus points if it can suggest hashes). It would be great to add an action like https://github.com/zgosalvez/github-actions-ensure-sha-pinned-actions as part of secure repo or harden runner.
If this issue is more suitable for harden-repo
repo, please feel free to move it there.
Thanks @sozercan for creating the issue! secure-repo currently adds the https://github.com/ossf/scorecard-action which does find the pinned dependency issue and also token permissions issue. I am not sure if it runs on a PR though - @ashishkurmi this is something to look into.
There is also an open issue to run secure-repo as an Action/ CLI to auto-fix these issues when a new PR is created.
#583
#1230