-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add dangerous workflow check with untrusted code checkout pattern #1168
Conversation
Signed-off-by: Asra Ali <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks @asraa !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
another great PR, thanks @asraa !
docs/checks.md
Outdated
@@ -522,3 +522,18 @@ possible. | |||
**Remediation steps** | |||
- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>. | |||
|
|||
## Dangerous |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@olivekl comments?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple suggestions:
"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."
"The first check is misuse of..." Why the reference to first? Is there a second part to the check that I'm not seeing?
Related: is this check looking for other dangerous patterns aside from the pull_request_target
trigger used with an explicit pull request checkout? If not, would this test be better named as something specific to this particular pattern, if it's the only one being detected?
Nit: are we using "PR" or trying to stick to the more platform agnostic "merge request"? Or is this test only applicable to GitHub (in which case, let's add that)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay thanks!!
"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."
added
Is there a second part to the check that I'm not seeing?
Yep, I've only added one so far but the plan is to add a series of checks (#426 (comment)). I tried to rephrase this with The first code pattern checked
. So I think it makes sense to keep this more general.
Or is this test only applicable to GitHub (in which case, let's add that)?
The check will have a lot of GitHub Actions dependent style and relies on it's particular default behavior, so I added this clarification Determines if the project's GitHub Action workflows avoid dangerous patterns.
Signed-off-by: Asra Ali <[email protected]>
Given recent discussion about Scorecard data change affecting clients, let's disable this check from running by default in CLI and cron job for now. If clients specifically want to invoke this check, that's ok. |
@asraa use an env variable to guard the access to this check. You can update the code in |
Just |
I want to be able to use and test the local repo interface with all checks (without providing a long list of Same for cron job here. |
If its only needed for testing, you can simply remove the line locally? ;) |
Signed-off-by: Asra Ali <[email protected]>
I went with the ENV var solution, but only because I imagine future checks might just want to add to the list? And it would centralize where the code could be removed before the next cut but let me know if I should change that |
Signed-off-by: Asra Ali <[email protected]>
@asraa heads up. #1195 got merged. You're going to have to update the checks.yaml file and add a The doc generation will also validate that your check does not use APIs that are inconsistent with the |
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
thanks for the review @chrismcgehee! |
ping? anything else to do here? |
license check is failing. apart from that, I think we're good to merge. If anyone disagrees, please reply. |
oops, something funky with the merge -- one second will update |
I'd just had a couple comments above on the documentation description. We could also address them after the merge, though. |
I think there's time to add your suggestions in this PR, since the pre-submit tests are still failing. |
Signed-off-by: Asra Ali <[email protected]>
Yeah! Happy to address more comments -- merge issue fixed |
did you update the cron job Line 196 in 83649a7
|
Signed-off-by: Asra Ali <[email protected]>
Oops -- good catch, I had assumed that it would call the root command, but it doesn't. Updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few comments!
docs/checks.md
Outdated
@@ -522,3 +522,18 @@ possible. | |||
**Remediation steps** | |||
- Fix the vulnerabilities. The details of each vulnerability can be found on <https://osv.dev>. | |||
|
|||
## Dangerous |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple suggestions:
"This check determines whether the project has dangerous code patterns. ADD: Some examples of these patterns are [X] and [Y]."
"The first check is misuse of..." Why the reference to first? Is there a second part to the check that I'm not seeing?
Related: is this check looking for other dangerous patterns aside from the pull_request_target
trigger used with an explicit pull request checkout? If not, would this test be better named as something specific to this particular pattern, if it's the only one being detected?
Nit: are we using "PR" or trying to stick to the more platform agnostic "merge request"? Or is this test only applicable to GitHub (in which case, let's add that)?
Signed-off-by: Asra Ali <[email protected]>
secrets. With the PR checkout, PR authors may compromise the repository, for | ||
example, by using build scripts controlled by the author of the PR or reading | ||
token in memory. This check does not detect whether untrusted code checkouts are | ||
used safely, for example, only on pull request that have been assigned a label. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this check is only supported on GitHub. @olivekl do we need to use merge request
instead of pull request
in this sentence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since it's only on GitHub I think pull request
is fine.
I fixed the pre-submit error
in #1233 |
ping? anything else to do here? |
nop, go ahead update with workflow parser. Unless it's a trivial change, do it in a follow-up PR. Let me know which option you prefer. |
+1 |
It is recommended that the Readme of the project be updated synchronously. Currently, there are 17 check items, whereas the Readme has only 16 check items. |
Thanks, we would appreciate if you can do PR to fix the issue. |
Signed-off-by: Asra Ali [email protected]
Adds a new check
Dangerous-Workflow
that checks if a github workflow uses dangerous coding patterns.The first pattern implemented is a check for an untrusted code checkout.
This is described in #426
What is the current behavior? (You can also link to an open issue here)
What is the new behavior (if this is a feature change)?
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
No
Other information: