GitHub Actions SHA pinning - currently incompatible with GitHub Dependabot Alerts

[jayaddison]

Hello,

I've noticed a few more code repositories on GitHub enabling zizmor and adopting its recommendations recently, and I think that's a good sign to indicate that maintainers are taking their supply chain security seriously.

Most of zizmor's suggestions I think are free of any drawbacks -- but there is one in particular that I think has a significant side-effect: the use of SHA-based versioning (aka commit pinning, required by default since v1.20) for GitHub Actions is incompatible with the GitHub Dependabot Alerts feature that notifies repository maintainers about vulnerability reports for the actions that they're using.

For details, refer to:

• GitHub Code Security Documentation - For GitHub Actions, alerts are only generated for actions that use semantic versioning, not SHA versioning. - https://docs.github.com/en/code-security/concepts/supply-chain-security/about-dependabot-alerts#limitations
• GitHub Community feature request thread - Please make Dependabot Alerts support SHA-hash-versioned GitHub Actions - https://github.com/orgs/community/discussions/154189

Regards,
James

[woodruffw]

Hi @jayaddison, thanks for opening this discussion.

I wasn't aware of that, and I think that's an egregious limitation in GitHub's platform.

In terms of what zizmor does (and IMO should do), I'm not sure there's any change we want to make -- hash-pinning is a good idea (even in the presence of immutable tags/releases), and GitHub should separately fix their platform limitation there.

In the mean time, you can use zizmor's own known-vulnerable-actions audit for this -- we correctly handle this by mapping SHA references back to tags/branches and querying those for known vulnerabilities. I think GitHub could pretty easily adopt the same technique. So if you're already running zizmor in your CI/CD, you should be covered by pre-existing checks on zizmor's side 🙂