Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bug: Output of harden-runner insight should use commit hash instead

See original GitHub issue

I just testing and implementing harden-runner after starting with the scorecard action. Repo is here: https://github.com/jauderho/psfiles

So if the push is for actions to use commit hashes instead of version tags, the output page of the insights should utilize the commit hash instead.

For example, https://app.stepsecurity.io/github/jauderho/psfiles/actions/runs/1731266664

Recommendation is for

- uses: step-security/harden-runner@v1
  with:
    allowed-endpoints: 
      api.github.com:443
      github.com:443

Instead, it really should be (and changing as necessary as the action gets updated)

- uses: step-security/harden-runner@14dc64f30986eaa2ad2dddcec073f5aab18e5a24 # v1
  with:
    allowed-endpoints: 
      api.github.com:443
      github.com:443

Similarly, the README.md for this repo should indicate/recommend the use of hashes instead.

Issue Analytics

State:
Created 2 years ago
Comments:40 (40 by maintainers)

Top GitHub Comments

1reaction

varunsh-codercommented, Feb 2, 2022

One item that’s unclear to me is we should include the version number while using the digest for point to an image. See jauderho/dockerfiles#146

Yes, I think we should.

1reaction

varunsh-codercommented, Jan 29, 2022

@varunsh-coder

A somewhat related question for you. One of the OpenSSF Scorecard recommendations is to switch from using Docker image tag to digests. Given that you have an Action to covert from versions to commit hashes for GHA, do you know of or have any plans to create a similar page to https://app.stepsecurity.io/ that will allow for a cut/paste conversion for Docker tags?

@jauderho I was thinking of the exact same thing. I will add it. Thanks for the idea!

Top Results From Across the Web

support signing container images with cosign · Issue #269 ...

We have several options to use while signing&verifying container images but cosign ... Bug: Output of harden-runner insight should use commit hash instead...

Commit Hash Error doing PR Analysis and Decoration

We self host Jenkins and Sonarqube in Azure; and use Bitbucket cloud. We cannot get the PR to decorate with errors, along with...

Jira Smart Commits. Output Commit Hash to Issue - git

I am using Bitbucket with mercurial and JIRA Cloud . I want to link Issues to Commits and vise-versa. Seeking for integration solutions,...

Commits are snapshots, not diffs - The GitHub Blog

I'll be using the git/git repository checked out at v2.29.2 as an example. Follow along with my command-line examples for extra practice. Object ......

Find what changed in a Git commit - Opensource.com

Simple commands for complex results. You don't have to understand refs and branches and commit hashes to view what files changed in a...