Skip to content

feat(gha): ensure action sources use commit hash #7058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(gha): ensure action sources use commit hash #7058

wants to merge 1 commit into from

Conversation

bt-macole
Copy link

@bt-macole bt-macole commented Mar 17, 2025
edited by baz-reviewer bot
Loading

User description

Description

Github Actions should pin the actions in workflows to SHA to prevent supply chain attacks such as this:
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066

Fixes #7057

New/Edited policies

CKV_GHA_8

Description

Ensure GitHub Action sources use a commit hash instead of a branch or tag to help prevent supply chain attacks.

Fix

replace tag with the commit SHA with an optional comment referencing the version

example:

jobs:
  checkov-job:
    runs-on: ubuntu-latest
    name: checkov-action
    steps:
      - name: Checkout with hash and comment on the same line
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my feature, policy, or fix is effective and works
  • New and existing tests pass locally with my changes

Generated description

Below is a concise technical summary of the changes proposed in this PR:

graph LR
    RevisionHash(RevisionHash):::added -- "Added regex validation for 40-character SHA-1 commit hashes" --> GITHUB_API(GITHUB_API):::added
    RevisionHash_init(RevisionHash.__init__):::added -- "Initializes security check for GitHub Action commit validation" --> RevisionHash(RevisionHash):::added
    RevisionHash_scan_conf(RevisionHash.scan_conf):::added -- "Validates 'uses' field contains SHA-1 commit hash" --> RevisionHash(RevisionHash):::added

    classDef added stroke:#15AA7A
    classDef removed stroke:#CD5270
    classDef modified stroke:#EDAC4C

    linkStyle default stroke:#CBD5E1,font-size:13px
Loading

Implements a new security check (CKV_GHA_8) in the checkov framework to ensure GitHub Actions use commit hashes instead of branches or tags. Adds the RevisionHash class to scan workflow configurations and includes corresponding test cases to validate the new check's functionality.

TopicDetails
Test Coverage Adds test cases and workflows to validate the new RevisionHash security check
Modified files (2)
  • tests/github_actions/test_runner.py
  • tests/github_actions/gha/.github/workflows/revision_hash.yaml
Latest Contributors(2)
UserCommitDate
achiar99fix-general-fix-integr...May 02, 2024
gruebelchore-add-SAST-integra...November 02, 2023
Security Check Impl Implements the RevisionHash check to detect and enforce the use of commit hashes in GitHub Actions
Modified files (1)
  • checkov/github_actions/checks/job/RevisionHash.py
Latest Contributors(0)
UserCommitDate
 This pull request is reviewed by Baz. Join @bt-macole and the rest of your team on (Baz).

@bt-macole bt-macole force-pushed the featgha_rev_check branch from e404baa to 6ba32db Compare April 1, 2025 14:39
@bt-macole bt-macole force-pushed the featgha_rev_check branch from 6ba32db to 6241012 Compare April 4, 2025 13:59
andycoellis
andycoellis reviewed Apr 7, 2025
View reviewed changes
checkov/github_actions/checks/job/RevisionHash.py
name=name,
id=id,
block_type=BlockType.ARRAY,
supported_entities=('jobs', 'jobs.*.steps[]')
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You may also want to add 'runs.steps[]' to your supported_entities to capture the uses that can appear under runs. https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions#runsstepsuses

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thats a good find. however, runs.steps[] is not a currently supported resource type for github actions. seems like it should definitely be added though.

@andycoellis
Copy link

Great work getting this up! Much needed 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andycoellis andycoellis andycoellis left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Github Actions should check for RevisionHash
2 participants
@bt-macole @andycoellis