You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This issue is created by StepSecurity related to security issues in docker-image.yml . The platform has identified 1 vulnerability (1 critical, 0 high, 0 medium, 0 low).
Remediation Overview
The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the Suggested Fix For Auto-Remediable Issues section. You can manually deploy these changes or create a pull request by commenting @stepsecurity-int pull-request create on this issue.
If you’d like an automated pull request with the fixed workflow file, comment:
@stepsecurity-int pull-request create
Other issues require manual investigation and changes.
Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.
Please review the individual vulnerability section below and follow the recommended resolution steps.
Security Checks Details
❌ Actions should be pinned to a full-length commit SHA
Severity: Critical
Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Resolution: Pin Actions to a full-length commit SHA..
Below is the updated workflow, which fixes the following security vulnerabilities:
Actions should be pinned to a full-length commit SHA
name: docker-image
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
on:
push:
branches: [ main ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
pull_request:
branches: [ main ]
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@
+ 4d991eb9b905ef189e4c376166672c3f2f230481 #
v2
+ .11.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@
+ f43a0e5ff2bd294095638e18286ca9a3d1956744 #
v3
+ .6.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Additional Information
For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.
Automated remediation commands and options
Create a pull request with automated security fixes
@stepsecurity-int pull-request create
Close this issue and prevent it from being reopened
@stepsecurity-int issue close <REASON>
Update issue description with latest security check status
@stepsecurity-int issue force-update
View all available commands and their usage
@stepsecurity-int help
Which GitHub Actions security best practices were evaluated?
The workflow was evaluated for the following GitHub Actions security best practices:
Network & runtime security monitoring
Token permissions
Third‐party GitHub Actions usage & pinning
The text was updated successfully, but these errors were encountered:
Summary
This issue is created by StepSecurity related to security issues in docker-image.yml . The platform has identified 1 vulnerability (1 critical, 0 high, 0 medium, 0 low).
Remediation Overview
The platform can generate remediations for a few vulnerabilities. For such vulnerabilities, you can find the fixed workflow file in the
Suggested Fix For Auto-Remediable Issuessection. You can manually deploy these changes or create a pull request by commenting@stepsecurity-int pull-request createon this issue.Other issues require manual investigation and changes.
Once a vulnerability has been remediated, ✅ will appear in the title. Note that it may take up to 24 hours for these issues to be updated.
Please review the individual vulnerability section below and follow the recommended resolution steps.
Security Checks Details
❌ Actions should be pinned to a full-length commit SHA
Severity: Critical
Description: GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit.
Resolution: Pin Actions to a full-length commit SHA..
Automated Remediation Available ?: true
References:
GitHub Security Guide
The Open Source Security Foundation (OpenSSF) Security Guide
Suggested Fix For Auto-Remediable Issues
Below is the updated workflow, which fixes the following security vulnerabilities:
name: docker-image # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. on: push: branches: [ main ] # Publish semver tags as releases. tags: [ 'v*.*.*' ] pull_request: branches: [ main ] env: # Use docker.io for Docker Hub if empty REGISTRY: ghcr.io # github.repository as <account>/<repo> IMAGE_NAME: ${{ github.repository }} permissions: contents: read jobs: build: runs-on: ubuntu-latest permissions: contents: read packages: write steps: - name: Harden Runner uses: step-security/harden-runner@ + 4d991eb9b905ef189e4c376166672c3f2f230481 # v2 + .11.0 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@ + f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + .6.0 # Login against a Docker registry except on PR # https://github.com/docker/login-action - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} # Extract metadata (tags, labels) for Docker # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }}Additional Information
For more information, refer to the documentation page here.
Please don't make any changes in the description as the platform makes automated updates in description. Please use the comment section below to provide input.
Automated remediation commands and options
@stepsecurity-int helpWhich GitHub Actions security best practices were evaluated?
The workflow was evaluated for the following GitHub Actions security best practices:
The text was updated successfully, but these errors were encountered: