Description
Description
I would like to suggest another security practice recommended by the OpenSSF Scorecard which is to hash pin dependencies to prevent tag renaming attacks and that also protects from typosquatting attacks.
The change would only be applied to GitHub workflows, dockerfiles and shell scripts dependencies. Considering go-humanize project, it would only be applied to the go.yml workflow file.
This means:
- Hash pinning GitHub Workflow actions.
Along with hash-pinning dependencies, I also recommend adopting dependabot or renovatebot to help keep the dependencies up to date. Both tools can update hashes and associated semantic version comments.
Together with this issue I'll also suggest a PR with the changes since they are quite simple. If you also want to give a try to either dependabot or renovatebot just let me know and I can submit a default configuration file that can target only github workflows.
Any questions or concerns just let me know.
Thanks!
Additional Context
A tag renaming attack is a type of attack whereby an attacker:
- Hijack an action.
- Upload a malicious version.
- Replace existing tags with malicious versions.
A typosquatting attack is a type of attack whereby an attacker:
- Create a malicious package
- Publish it with a similar name of a known package (example: numpi instead of numpy)
For more informations about the dependency-update tools:
Activity