Workflow depends on unpinned GitHub Actions

Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST ルール > Workflow depends on unpinned GitHub Actions

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: github-actions/unpinned-actions

Language: YAML

Severity: Warning

Category: Security

Description

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

By default, the rule allows the following actions without pinning: “actions/checkout”, “datadog/datadog-sca-github-action”, “datadog/datadog-static-analyzer-github-action”

Arguments

Use the rule argument allow to allow a list of actions without pinning. The list is comma-separated.

rulesets:
  - github-actions:
    rules:
      unpinned-actions:
        arguments:
          allow: actions/checkout,datadog/datadog-static-analyzer-github-action

Arguments

allow: A comma-separated list of actions that can be used without pinning

Non-Compliant Code Examples

jobs:
  test:
    uses: ./.github/workflows/pr-test.yml
    with:
      repo: core
    secrets: inherit
  lint:
    - name: Checkout repository
      uses: actions/checkout
  lint:
    - name: Checkout repository
      uses: actions/checkout@v2
  lint:
    - name: Checkout repository
      uses: actions/myaction@v2

Compliant Code Examples

jobs:
  checkout:
    - name: Checkout repository
      uses: actions/checkout@v2
  sca:
    - name: Checkout repository
      uses: datadog/datadog-sca-github-action@v2
  sa:
    - name: Static Analyzer
      uses: datadog/datadog-static-analyzer-github-action@v2

name: kubehound-linter

on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:
  linter:
    runs-on: ubuntu-latest
    steps:      
      - name: Harden Runner
        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            goreleaser.com:443
            golang.org:443
            go.dev:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            storage.googleapis.com:443
            uploads.github.com:443
            sum.golang.org:443
            
      - name: Setup Golang
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
        with:
          go-version: "1.22"

      - name: Checkout Git Repo
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

      - name: golangci-lint
        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
        with:
          version: v1.56.2
          args: ./...