Conversation
Up to standards ✅
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR successfully pins most GitHub Actions to SHA hashes, there are inconsistencies and omissions that undermine the security goals. Specifically, the actions/checkout action in mkdocs.yml uses an incorrect major version and a SHA hash inconsistent with other files in this PR. Furthermore, the Rebilly/lexi action remains pinned to a mutable tag, which contradicts the stated acceptance criteria and leaves the workflow vulnerable to supply chain attacks. Although Codacy analysis indicates the PR is 'up to standards', these functional alignment issues should be resolved to ensure the security policy is applied uniformly.
About this PR
- The security hardening is incomplete; while most actions were updated, at least one third-party action was overlooked. To meet the security objectives, every action reference must be pinned to an immutable SHA hash to prevent tag-shifting attacks.
Test suggestions
- Verify that 'actions/checkout' is pinned to a SHA hash in all workflow files
- Verify that third-party actions like 'tj-actions/changed-files' and 'atlassian/gajira' are pinned to SHA hashes
- Verify that the 'Rebilly/lexi' action in 'readability.yml' is pinned to a SHA hash
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that the 'Rebilly/lexi' action in 'readability.yml' is pinned to a SHA hash
🗒️ Improve review quality by adding custom instructions
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 |
There was a problem hiding this comment.
🔴 HIGH RISK
The actions/checkout action does not have a v6 release; the latest major version is v4. Additionally, the SHA used here (de0fac2...) is inconsistent with the v4 SHA (34e114876b0b11c390a56381ad16ebd13914f8d5) used throughout the rest of the PR. It is recommended to use the consistent SHA and correct the version comment.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
.github/workflows/readability.yml
Outdated
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: Rebilly/lexi@v2 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: To align with the security objectives of this PR and satisfy the acceptance criteria, the Rebilly/lexi action should be pinned to a specific SHA hash. This prevents potential 'tag shifting' attacks where a tag is moved to a different, potentially malicious, commit.
Try running the following prompt in your IDE agent:
Pin the Rebilly/lexi@v2 action in .github/workflows/readability.yml to its specific SHA-1 hash and append the tag as a comment.
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
jorgebraz
force-pushed
the
security/pin-actions-to-sha
branch
from
99233f5 to
3473b3f
Compare
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.