Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(gha): Pin and update actions/checkout #11675

Merged
merged 1 commit into from
Feb 6, 2025
Merged

feat(gha): Pin and update actions/checkout #11675

merged 1 commit into from
Feb 6, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Jan 27, 2025
edited
Loading

As all others GHA: Full version pin + update
replacement for #11671

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jan 27, 2025
edited
Loading

DryRun Security Summary

The text describes a GitHub Actions workflow for updating DefectDojo's sample data, highlighting security concerns around hardcoded credentials, dependency versioning, binary execution safety, and automated deployment processes.

Expand for full summary

Summary:

The provided code change is part of a GitHub Actions workflow that updates the sample data for the DefectDojo application. The workflow is triggered either manually or on a schedule to update the dojo/fixtures/defect_dojo_sample_data.json file. While the changes appear to be routine, there are a few security considerations that should be addressed:

  1. Hardcoded Credentials: The workflow uses hardcoded environment variables for the Git username and email, which is generally not recommended. Consider using a more secure method, such as GitHub Secrets, to store and retrieve these values.

  2. Dependency Versioning: The workflow is using a specific commit hash for the actions/checkout action, which is a good practice. However, it's important to regularly review and update the dependencies to the latest stable versions to address any security vulnerabilities that may be discovered.

  3. Untrusted Binary Execution: The workflow runs a binary called fixture-updater to update the sample data. It's important to ensure that this binary is trusted and that it doesn't contain any malicious code that could compromise the application or the repository. Consider adding additional security checks, such as code signing or scanning the binary for known vulnerabilities, to mitigate this risk.

  4. Automated Deployment: The workflow creates a pull request to update the sample data, which is a good practice. However, it's important to consider the implications of automating the deployment of changes, as this could potentially introduce security risks if the changes are not properly reviewed or tested.

Files Changed:

  • .github/workflows/update-sample-data.yml: This file contains the GitHub Actions workflow that updates the sample data for the DefectDojo application. The workflow checks out the code, runs the fixture-updater binary to update the sample data, and then creates a pull request with the changes.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security Summary

The GitHub Actions workflow file automates the process of updating DefectDojo's sample data by running a fixture-updater binary, creating a new branch with the changes, and submitting a pull request, while maintaining security considerations around binary integrity, data validation, and token management.

Expand for full summary

Summary:

The provided code is a GitHub Actions workflow file responsible for updating the sample data for the DefectDojo application. The workflow is triggered manually or on a schedule and performs the following key steps:

  1. Checkout the code using the actions/checkout action, with the version updated to v4.2.2.
  2. Run a binary named fixture-updater to update the defect_dojo_sample_data.json file located in the dojo/fixtures/ directory.
  3. Configure Git user information and create a new branch with a timestamp-based name.
  4. Commit the updated defect_dojo_sample_data.json file and push the new branch to the remote repository.
  5. Create a new pull request with the updated sample data.

From an application security perspective, the main areas to focus on are ensuring the integrity of the fixture-updater binary, validating the input data in the defect_dojo_sample_data.json file, monitoring the versions of the GitHub Actions used in the workflow, and securely managing the GITHUB_TOKEN secret.

Files Changed:

  • .github/workflows/update-sample-data.yml: This file contains the GitHub Actions workflow responsible for updating the sample data for the DefectDojo application. The changes include updating the version of the actions/checkout action, running the fixture-updater binary to update the defect_dojo_sample_data.json file, configuring Git user information, creating a new branch, committing and pushing the changes, and creating a new pull request.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

mtesauro
mtesauro approved these changes Jan 27, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@kiblik kiblik force-pushed the gha_actions_checkout branch from 0293303 to adc9a16 Compare January 28, 2025 12:10
@github-actions GitHub Actions
Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the gha_actions_checkout branch from adc9a16 to 315538a Compare January 28, 2025 12:11
@kiblik kiblik requested a review from Maffooch January 28, 2025 15:38
@mtesauro mtesauro merged commit 818df37 into DefectDojo:dev Feb 6, 2025
73 checks passed
@kiblik kiblik deleted the gha_actions_checkout branch February 6, 2025 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cneill cneill cneill approved these changes

@mtesauro mtesauro mtesauro approved these changes

@Maffooch Maffooch Maffooch approved these changes

@blakeaowens blakeaowens blakeaowens approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @cneill @mtesauro @Maffooch @blakeaowens