-
Notifications
You must be signed in to change notification settings - Fork 335
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Confusing alert "Unversioned Immutable Action" #2659
Comments
Thank you for trying out this new feature and for your rapid and thorough feedback - much appreciated. You're right. We'll work on improving the documentation for these alerts. We also appear to be enforcing usage patterns that are only applicable for now to GitHub-internal use (where we use this for our own security), so we'll adjust the alerts accordingly. |
I'm getting the same "error" with a sha as the version. A sha is not mutable and, while it is not a semantic version with 3 digits, it is fixed. Actually, its fixed better than a 3 digit semver since a release or tag on an action can be deleted and recreated with malicious content if the attacker has the correct credentials. |
@leemeador, thanks for the feedback. I can understand how this is confusing. Immutable Actions is an unreleased feature, where an action release is published in the GitHub Package Registry, and is guaranteed that once published, a new package with the same version cannot be published on top of it. In addition to better clarity in documentation, this feature brings better security guarantees. This feature is not publicly available yet, and this query is only meant to apply to internal GitHub repositories. You can ignore it for now. |
github/codeql#18356 will remove this query from the public query suites, and the confusing alerts will automatically close when your analysis receives the updated query pack after that change. We'll comment here when that happens too. Thanks for your patience. |
Not sure if this is the right place to report this but couldn't figure out a better place...
I tested the new support for scanning GitHub Actions Workflows and got a ton of findings for "Unversioned Immutable Action".
The description for the finding is confusing me a bit for various reasons. I included a copy of the report I received at the bottom of this issue. My specific confusion is because of
actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
). While I might want to switch to immutable actions, I believe the latter half of the sentence is factually incorrect in this case. Also, the use of commit refs is not included in the examples.<a href=""></a>
in the page source).Description
Using an immutable action without indicating proper semantic version will result in the version being resolved to a tag that is mutable. This means the action code can between runs and without the user's knowledge. Using an immutable action with proper semantic versioning will resolve to the exact version
of the action stored in the GitHub package registry. The action code will not change between runs.
Recommendations
When using immutable actions use the full semantic version of the action. This will ensure that the action is resolved to the exact version stored in the GitHub package registry. This will prevent the action code from changing between runs.
Examples
Incorrect Usage
Correct Usage
References
The text was updated successfully, but these errors were encountered: