Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR moves toward better security by pinning most actions to SHA hashes, it is currently incomplete and contains a high-severity security risk. The ahmadnassri/action-dependabot-auto-merge action was missed in the conversion, contradicting the PR's stated intent. More importantly, the auto-merge.yml workflow uses the pull_request_target trigger combined with a checkout of the head branch; this pattern allows untrusted code from forks to execute in a privileged environment with repository secrets. These security gaps should be resolved before merging.
About this PR
- The PR does not fully satisfy its security objective because 'ahmadnassri/action-dependabot-auto-merge@v2' in '.github/workflows/auto-merge.yml' remains pinned to a mutable tag rather than a SHA hash.
Test suggestions
- Verify that all actions in .github/workflows/auto-merge.yml are pinned to commit SHAs.
- Verify that all actions in .github/workflows/comment_issue.yml are pinned to commit SHAs.
- Verify that all actions in .github/workflows/create_issue.yml are pinned to commit SHAs.
- Verify that all actions in .github/workflows/create_issue_on_label.yml are pinned to commit SHAs.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that all actions in .github/workflows/auto-merge.yml are pinned to commit SHAs.
2. Verify that all actions in .github/workflows/comment_issue.yml are pinned to commit SHAs.
3. Verify that all actions in .github/workflows/create_issue.yml are pinned to commit SHAs.
4. Verify that all actions in .github/workflows/create_issue_on_label.yml are pinned to commit SHAs.
🗒️ Improve review quality by adding custom instructions
| - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha }} |
There was a problem hiding this comment.
🔴 HIGH RISK
This workflow block presents two significant security issues:
- Incomplete SHA Pinning: The action
ahmadnassri/action-dependabot-auto-merge@v2(line 14) is still using a mutable version tag, which contradicts the security goals of this PR. It should be updated to a specific commit SHA. - Privileged Execution Risk: Using
pull_request_targetwhile checking out the pull request's head branch (lines 11-13) is a high-severity vulnerability. It allows potentially untrusted code from a fork to run with write permissions and access to repository secrets.
Actionable Suggestions:
- Update the auto-merge action to a SHA hash. Prompt for coding agent:
Find the latest commit SHA for ahmadnassri/action-dependabot-auto-merge@v2 and update the uses statement in .github/workflows/auto-merge.yml to use that SHA, including the version as a comment (e.g., # v2). - Verify if
actions/checkoutis necessary. If the action only needsGITHUB_TOKENfor API calls, remove the checkout step and therefparameter to eliminate the risk of executing untrusted code.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
de3603c to
08611ff
Compare
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.