Skip to content

Apply security best practices for GitHub Actions / Dependency #38552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 15, 2025
Merged

Apply security best practices for GitHub Actions / Dependency #38552

merged 4 commits into from
Apr 15, 2025
+30 −4

Conversation

Nick2bad4u
Copy link
Contributor

@Nick2bad4u Nick2bad4u commented Apr 4, 2025
edited
Loading

Summary of the Pull Request

This pull request implements security best practices by pinning all GitHub Action tags and Docker tags to their full-length commits, following recommendations from GitHub's Security Hardening Guide. Pinning ensures that the actions used in workflows are immutable, reducing the risk posed by unintended or malicious changes.

Additionally, this PR integrates the Dependency Review Workflow, which scans for vulnerable dependency versions introduced by pull requests. This feature provides early warnings about security vulnerabilities, increasing visibility into changes and preventing vulnerabilities from being introduced into the repository.

References:

PR Checklist

  • Closes: Security improvement initiative (no issue linked)
  • Communication: N/A
  • Tests: Dependency review action tested in a local branch and validated for correctness.
  • Localization: No user-facing strings affected.
  • Dev docs: Updated with steps to configure dependency review.
  • New binaries: Not applicable for this PR.
  • Documentation updated: N/A

Detailed Description of the Pull Request / Additional Comments

This PR focuses on hardening the repository by ensuring immutability for tags and introducing automated dependency checks. The steps undertaken include:

  1. Pinning action tags and Docker tags to full-length commit hashes.
  2. Adding the Dependency Review Workflow to identify vulnerabilities at the pull request level.

These changes are aimed at improving the overall security posture of the repository and aligning it with recognized security standards.

Validation Steps Performed

  1. Verified that workflows run successfully with pinned tags.
  2. Tested the Dependency Review Workflow on multiple pull requests to confirm detection of vulnerable dependencies.
  3. Reviewed configurations against GitHub's and OpenSSF's security guidelines.

@Nick2bad4u Nick2bad4u changed the title [StepSecurity] Apply security best practices Apply security best practices for GitHub Actions / Dependency Apr 4, 2025
@Nick2bad4u
Copy link
Contributor Author

@microsoft-github-policy-service agree

@yeelam-gordon
Copy link
Contributor

Thanks for raising the PR.
Quick question, how come overlap will this dependency check with https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates?

@yeelam-gordon yeelam-gordon added the Area-GitHub workflow Issues regarding the GitHub workflow and automation label Apr 8, 2025
@crutkas
Copy link
Member

crutkas commented Apr 10, 2025

@Nick2bad4u, i submitted a PR to your repo with some adjustments based on chatting with some people internally.

@Nick2bad4u
Copy link
Contributor Author

@Nick2bad4u, i submitted a PR to your repo with some adjustments based on chatting with some people internally.

I didn't even know if I was going to submit this, so I left it as a draft.

The only reason I say this is because it can be a pain to constantly have to merge the version updates to any actions, etc.

So it's more of a trade off of security vs convenience. Ill take a look at your adjustment when I get home in a bit here.

Thanks

@Nick2bad4u
Copy link
Contributor Author

Nick2bad4u commented Apr 10, 2025
edited
Loading

Thanks for raising the PR.
Quick question, how come overlap will this dependency check with https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates?

This checks the dependency for version updates as they won't automatically update to the latest version after pinning to a hash.

It creates a pr for the new updates if that's what you're asking.

It also warns about any dependency you may be using that has open security risk.

@crutkas
Copy link
Member

crutkas commented Apr 10, 2025

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@crutkas
Copy link
Member

crutkas commented Apr 11, 2025

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

Copilot
Copilot AI reviewed Apr 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

@yeelam-gordon
Copy link
Contributor

@Nick2bad4u, i submitted a PR to your repo with some adjustments based on chatting with some people internally.

I didn't even know if I was going to submit this, so I left it as a draft.

The only reason I say this is because it can be a pain to constantly have to merge the version updates to any actions, etc.

So it's more of a trade off of security vs convenience. Ill take a look at your adjustment when I get home in a bit here.

Thanks

We need to do the hash for the 3rd party action from https://docs.opensource.microsoft.com/security/tsg/actions/#requirements-for-security-hardening-your-own-github-actions, thus, I see the latest change is great (i.e. those 1st/2nd party doesn't specify for hash.

@crutkas crutkas marked this pull request as ready for review April 11, 2025 06:15
@crutkas crutkas requested a review from a team as a code owner April 11, 2025 06:15
@crutkas crutkas added the Needs-Review This Pull Request awaits the review of a maintainer. label Apr 11, 2025
@yeelam-gordon
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

yeelam-gordon
yeelam-gordon approved these changes Apr 14, 2025
View reviewed changes
Copy link
Contributor

@yeelam-gordon yeelam-gordon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Nick2bad4u for all the change.
I also added Microsoft Security guideline as part of the dependency-review.yml, and rebased on from latest report for test run.

@yeelam-gordon yeelam-gordon removed the request for review from lei9444 April 14, 2025 13:35
@Nick2bad4u
Update msstore-submissions.yml
375119a 
added missed fixed to v4
@crutkas
Copy link
Member

crutkas commented Apr 14, 2025

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@yeelam-gordon
Copy link
Contributor

Oh, I see your fix @crutkas , just aware we should consider https://github.com/actions/ as 2nd party.

@yeelam-gordon yeelam-gordon merged commit 60f50d8 into microsoft:main Apr 15, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@crutkas crutkas crutkas approved these changes

@lei9444 lei9444 lei9444 approved these changes

@yeelam-gordon yeelam-gordon yeelam-gordon approved these changes

Assignees
No one assigned
Labels
Area-GitHub workflow Issues regarding the GitHub workflow and automation Needs-Review This Pull Request awaits the review of a maintainer.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Nick2bad4u @yeelam-gordon @crutkas @lei9444