fix(security): Security scripts miss action version consistency checks #282
Description
Issue Description
The security scripts validate SHA pinning compliance but do not detect version inconsistency across workflows. A repository can pass all security checks while using different versions of the same action (e.g., actions/download-artifact@v4.1.8 in one workflow and @v7.0.0 in another), both correctly SHA-pinned.
Problem Statement
Current Behavior
Test-DependencyPinning.ps1 validates that actions use 40-character SHA references:
$sha40Pattern = '^[a-fA-F0-9]{40}$'
# Passes if reference matches SHA patternUpdate-ActionSHAPinning.ps1 provides remediation via $ActionSHAMap, but the map contains only specific versions:
$ActionSHAMap = @{
"actions/download-artifact@v4" = "actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16"
"actions/download-artifact@v3" = "actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a"
# No @v7 entry exists
}Real Example in This Repository
| Workflow | Action Reference | Version |
|---|---|---|
| extension-package.yml | actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 |
v7.0.0 |
| extension-publish.yml | actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 |
v7.0.0 |
| extension-publish-prerelease.yml | actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 |
v7.0.0 |
| main.yml | actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 |
v4.1.8 |
All four pass Test-DependencyPinning.ps1 because all use valid 40-character SHAs.
Gap Analysis
| Check | Test-DependencyPinning | Test-SHAStaleness | Gap |
|---|---|---|---|
| Is it SHA-pinned? | ✅ | - | - |
| Is it the latest SHA? | - | ✅ | - |
| Is it consistent across workflows? | ❌ | ❌ | Missing |
| Is it an approved/expected version? | ❌ | ❌ | Missing |
Proposed Solutions
Option A: New Consistency Script
Create Test-ActionVersionConsistency.ps1 that:
- Scans all workflow files for action references
- Resolves SHA → tag using GitHub API
- Groups by action name and reports version mismatches
- Outputs recommendations for standardization
Option B: Policy Mode for Existing Script
Add -EnforceConsistency switch to Test-DependencyPinning.ps1:
- When enabled, fails if the same action appears with different SHAs
- Requires explicit allowlist for intentional version differences
Option C: Canonical Manifest
Create approved-actions.json defining expected action versions:
{
"actions/download-artifact": {
"version": "v4.1.8",
"sha": "fa0a91b85d4f404e444e00e005971372dc801d16"
}
}Scripts validate against this manifest rather than checking only format.
Acceptance Criteria
- Version inconsistencies across workflows are detected and reported
- Clear output identifies which workflows use which versions
- Integration with existing SARIF/JSON output formats
- Documentation updated with new validation capability
Additional Context
The $ActionSHAMap in Update-ActionSHAPinning.ps1 currently has ~50 entries but no v7 mappings for actions that have released v7. This suggests the map is manually maintained and may drift from actual usage.