Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confusing alert "Unversioned Immutable Action" #2659

Open
ericcornelissen opened this issue Dec 18, 2024 · 4 comments
Open

Confusing alert "Unversioned Immutable Action" #2659

ericcornelissen opened this issue Dec 18, 2024 · 4 comments

Comments

@ericcornelissen
Copy link
Contributor

ericcornelissen commented Dec 18, 2024

Not sure if this is the right place to report this but couldn't figure out a better place...

I tested the new support for scanning GitHub Actions Workflows and got a ton of findings for "Unversioned Immutable Action".

The description for the finding is confusing me a bit for various reasons. I included a copy of the report I received at the bottom of this issue. My specific confusion is because of

  1. I'm assuming this is referring to Immutable Actions [GA] roadmap#592 which doesn't appear to be launched yet, is that correct?
  2. It says "Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable." despite the fact that I'm using commit refs (e.g. actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0). While I might want to switch to immutable actions, I believe the latter half of the sentence is factually incorrect in this case. Also, the use of commit refs is not included in the examples.
  3. The first link, https://github.com/github/package-registry-team/blob/main/docs/immutable-actions/immutable-actions-howto.md, is a 404 for me.
  4. The second link does not have a target URL (it's <a href=""></a> in the page source).



Description

Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version
of the action stored in the GitHub package registry. The action code will not change between runs.

Recommendations

When using immutable actions use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs.

Examples

Incorrect Usage

- uses: actions/checkout@some-tag
- uses: actions/checkout@2.x.x

Correct Usage

- uses: actions/checkout@4.0.0

References

@adityasharad
Copy link
Contributor

Thank you for trying out this new feature and for your rapid and thorough feedback - much appreciated. You're right. We'll work on improving the documentation for these alerts. We also appear to be enforcing usage patterns that are only applicable for now to GitHub-internal use (where we use this for our own security), so we'll adjust the alerts accordingly.

@leemeador
Copy link

I'm getting the same "error" with a sha as the version. A sha is not mutable and, while it is not a semantic version with 3 digits, it is fixed. Actually, its fixed better than a 3 digit semver since a release or tag on an action can be deleted and recreated with malicious content if the attacker has the correct credentials.

@aeisenberg
Copy link
Contributor

@leemeador, thanks for the feedback. I can understand how this is confusing. Immutable Actions is an unreleased feature, where an action release is published in the GitHub Package Registry, and is guaranteed that once published, a new package with the same version cannot be published on top of it. In addition to better clarity in documentation, this feature brings better security guarantees.

This feature is not publicly available yet, and this query is only meant to apply to internal GitHub repositories. You can ignore it for now.

@adityasharad
Copy link
Contributor

github/codeql#18356 will remove this query from the public query suites, and the confusing alerts will automatically close when your analysis receives the updated query pack after that change. We'll comment here when that happens too. Thanks for your patience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants