fix(scorecard): dangerous-workflow, signed-releases, pinned-deps

[imran-siddique]

Full Scorecard sweep targeting 3 checks: Dangerous-Workflow 0->10 (removed explicit ref in pull_request_target), Signed-Releases 0->10 (added sigstore), Pinned-Dependencies 5->7+ (pinned CI pip versions). 11 files changed. Branch-Protection needs admin settings change separately.

[github-actions]

🤖 AI Agent: code-reviewer

Review Summary

This PR addresses three key areas for improving the repository's security posture and compliance with the OpenSSF Scorecard checks: Dangerous Workflow, Signed Releases, and Pinned Dependencies. The changes are well-documented and aim to mitigate potential security risks, such as untrusted code execution in GitHub Actions and dependency drift. However, there are some areas that require further attention to ensure robustness and avoid potential issues.

---

Key Issues and Recommendations

🔴 CRITICAL: Missing Verification of Sigstore Signatures

The addition of Sigstore for signing release artifacts is a positive step toward supply chain security. However, there is no evidence in the PR that the signatures are being verified during the release process or by downstream consumers. Without verification, the signing process does not provide meaningful security guarantees.

Recommendation:

• Add a step to verify Sigstore signatures during the release process or provide documentation for downstream consumers on how to verify the signatures.

---

🔴 CRITICAL: Lack of Integrity Verification for pip install

While pinning dependencies improves reproducibility, the pip install commands in the workflows do not include hash-based integrity checks (e.g., --require-hashes). This leaves the pipeline vulnerable to supply chain attacks, such as dependency confusion or compromised PyPI packages.

Recommendation:

• Use pip install --require-hashes with a requirements.txt file that includes hashes for all dependencies. This ensures that only the expected versions of dependencies are installed.

---

🔴 CRITICAL: Potential Sandbox Escape in benchmarks.yml

The benchmarks.yml workflow installs dependencies using pip install -e ".[dev]". This allows the execution of arbitrary code during the installation process if the repository contains malicious code in its setup.py or pyproject.toml.

Recommendation:

• Use a virtual environment or containerized environment for running benchmarks to isolate the execution environment.
• Consider using a read-only filesystem for the container to prevent unintended modifications.

---

🟡 WARNING: Potential Breaking Changes in Dependency Versions

The PR pins pytest to version 8.4.1 and pytest-asyncio to version 0.26.0. While this improves reproducibility, it may cause issues for users who rely on newer versions of these dependencies.

Recommendation:

• Clearly document the rationale for pinning these versions in the CHANGELOG.md and/or README.md.
• Consider using semantic versioning ranges (e.g., pytest>=8.4,<9.0) to allow for minor updates while avoiding breaking changes.

---

🟡 WARNING: Backward Compatibility for pyyaml Version Pinning

The pyyaml dependency is pinned to version 6.0.2. This may break compatibility for users who rely on other versions of pyyaml.

Recommendation:

• Evaluate whether pinning pyyaml to a specific version is strictly necessary. If it is, document the reason for this decision in the CHANGELOG.md and/or README.md.

---

💡 SUGGESTION: Use actions/checkout@v4 Instead of Commit Hash

The workflows use a specific commit hash (11bd71901bbe5b1630ceea73d27597364c9af683) for the actions/checkout action. While this ensures stability, it may lead to missing out on important updates or security patches.

Recommendation:

• Use the latest stable version tag (e.g., actions/checkout@v4) to balance stability and security.

---

💡 SUGGESTION: Add Tests for Policy Engine Changes

While this PR does not directly modify the policy engine, it is critical to ensure that the changes to CI/CD workflows do not inadvertently affect the correctness of the policy engine.

Recommendation:

• Add automated tests to validate the policy engine's behavior under different scenarios, especially for edge cases.

---

💡 SUGGESTION: Document MSRC Case Reference

The comments referencing "MSRC Case 111178" are helpful for context but may not be accessible to all contributors.

Recommendation:

• Provide a brief explanation or link to public documentation (if available) about the MSRC case to help contributors understand the rationale behind these changes.

---

Final Assessment

The PR makes significant improvements to the repository's security posture, particularly in addressing dangerous workflows and adding signed releases. However, critical gaps in signature verification and dependency integrity checks must be addressed before merging. Additionally, the potential breaking changes introduced by dependency pinning should be carefully documented to ensure backward compatibility.

Action Items

1. 🔴 Address critical issues:

   • Add Sigstore signature verification.
   • Implement hash-based integrity checks for pip install.
   • Isolate benchmark execution to prevent sandbox escapes.

2. 🟡 Mitigate potential breaking changes:

   • Document the rationale for dependency pinning.
   • Consider using semantic versioning ranges where possible.

3. 💡 Implement suggestions:

   • Use stable version tags for GitHub Actions.
   • Add tests for policy engine correctness.
   • Provide context for MSRC case references.

[github-actions]

🤖 AI Agent: security-scanner — Security Review of Pull Request

Security Review of Pull Request

This pull request addresses several security-related improvements in the GitHub Actions workflows, including changes to address dangerous workflows, enforce signed releases, and pin dependencies. Below is a detailed security review of the changes.

---

Findings

1. Dangerous Workflow Mitigation

• Change: Removed explicit ref: ${{ github.event.pull_request.head.sha }} in workflows triggered by pull_request_target events.
• Risk: 🔴 CRITICAL
  • The pull_request_target event runs workflows in the context of the base branch but allows access to the contents of the pull request. Using ref: ${{ github.event.pull_request.head.sha }} in this context would allow an attacker to execute malicious code in the workflow by submitting a pull request with a modified workflow file. This could lead to privilege escalation or compromise of secrets.
• Fix: The PR correctly removes the explicit ref and relies on the default behavior of pull_request_target, which checks out the base branch. This mitigates the risk of executing untrusted code from a pull request.
• Recommendation: Ensure that all workflows triggered by pull_request_target events avoid using ref: head.sha or similar constructs. This change is correct and improves security.

---

2. Signed Releases

• Change: Added a step to sign release artifacts using sigstore/gh-action-sigstore-python.
• Risk: 🟠 HIGH
  • Without signing release artifacts, attackers could tamper with the artifacts during the build or distribution process, leading to supply chain attacks.
• Fix: The addition of the sigstore action to sign release artifacts is a strong improvement. However, there is no verification step to ensure the signature is valid after signing. This could lead to a false sense of security if the signing process is compromised.
• Recommendation: Add a verification step to confirm that the signature is valid after signing. This ensures that the signing process itself has not been tampered with.

---

3. Pinned Dependencies

• Change: Pinned dependencies in CI workflows (e.g., pytest==8.4.1, pytest-asyncio==0.26.0, pyyaml==6.0.2).
• Risk: 🟡 MEDIUM
  • Unpinned dependencies in CI workflows can lead to supply chain attacks, where malicious versions of dependencies are introduced.
• Fix: Pinning dependencies to specific versions reduces the risk of supply chain attacks. However, the PR does not include a mechanism to automatically update and audit these dependencies, which could lead to outdated and vulnerable dependencies over time.
• Recommendation: Use a dependency management tool (e.g., dependabot, pip-tools) to automate updates and audits of pinned dependencies.

---

4. Use of --no-cache-dir in pip install

• Change: Added --no-cache-dir to pip install commands.
• Risk: 🔵 LOW
  • The use of --no-cache-dir prevents caching of downloaded packages, reducing the risk of using stale or tampered cache files. However, this is a minor improvement and does not address critical risks.
• Fix: This change is a good practice and reduces potential attack vectors.
• Recommendation: No further action required.

---

5. SPDX License Compliance

• Change: No changes related to SPDX license compliance were observed.
• Risk: 🔵 LOW
  • There is no indication of license compliance issues in this PR. However, ensuring that all dependencies are properly licensed is a good practice.
• Recommendation: Periodically audit dependencies for license compliance.

---

Summary of Findings

Finding	Risk	Recommendation
Dangerous Workflow Mitigation	🔴 CRITICAL	Ensure no workflows use ref: head.sha in pull_request_target context.
Signed Releases	🟠 HIGH	Add a verification step to confirm the validity of signatures after signing.
Pinned Dependencies	🟡 MEDIUM	Use a dependency management tool to automate updates and audits of dependencies.
Use of --no-cache-dir in pip install	🔵 LOW	No further action required.
SPDX License Compliance	🔵 LOW	Periodically audit dependencies for license compliance.

---

Final Assessment

This pull request makes significant improvements to the security posture of the repository by addressing dangerous workflows, introducing signed releases, and pinning dependencies. However, there are still areas for improvement, particularly around verifying signed artifacts and automating dependency updates.

• Overall Risk Rating: 🟠 HIGH
• Approval Recommendation: Approve with the condition that a follow-up PR addresses the recommendations for signed release verification and dependency management.