-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(GHA): Add SHA pinning #11364
feat(GHA): Add SHA pinning #11364
Conversation
DryRun Security SummaryThe code changes focus on improving the security, reliability, and consistency of DefectDojo's GitHub Actions workflows by updating action versions, implementing secure configurations, and enhancing testing and release management processes. Expand for full summarySummary: The provided code changes cover a variety of GitHub Actions workflows for the DefectDojo application. The changes focus on improving the reliability, consistency, and security of the application's build, test, and release processes. Key security-related observations include:
Overall, the provided code changes appear to be focused on improving the security and reliability of the DefectDojo application's development and deployment processes. The use of specific dependency versions, secure configurations, and comprehensive testing and linting are all positive security practices that should help maintain the application's security posture. Files Changed: The code changes span several GitHub Actions workflow files, including:
Code AnalysisWe ran |
This makes total sense to me 👍 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approved
This pull request has conflicts, please resolve those before we can evaluate the pull request. |
Conflicts have been resolved. A maintainer will review the pull request shortly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From Renovate's documentation, it's not clear to me if it will automatically bump e.g. v4.4.3
to v4.4.4
or if it stays pinned to that specific tag forever, only updating if the SHA corresponding to that tag changes. If it's the latter, it might make sense to pin to e.g. # v4
instead of # v4.4.3
.
Since this is definitely an improvement either way, I'm okay to approve and we can keep an eye on it to see how it behaves.
Official documentation recommends SHA pinning: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Also, renovate supports this syntax.