-
Notifications
You must be signed in to change notification settings - Fork 306
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check for and update outdated integrations #4694
base: master
Are you sure you want to change the base?
Changes from all commits
4ec98c6
030334d
f6d7609
69cbf21
b3b80d2
0e5cd60
3b200e0
673cdcf
9d60480
5a72dba
a292923
6f4b13b
559515b
d9e4580
aab81c8
8015542
d55b7ff
39363ce
cd6e9d5
5b9abbc
9c38a47
2a9e474
2d8b885
50237fa
5a354d2
61ffa44
d55455d
58218bd
9a1cf96
d2b9459
4b6740a
a937581
0f2bc40
ef00386
6aa6853
315238f
fce4e51
12c5198
a8b7234
f6039d8
1af7503
9a507cc
5a33b02
85a1477
82fd66a
2aa7fec
b3414a5
eb7e897
eb02ccf
154efc2
46b4703
d4a4d3c
4e0906c
f9273e9
34b5c1b
4a71ecc
759edcb
4b6a133
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
name: Outdated Integrations | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityNo explicit permissions set for at the workflow level (...read more)Check the permissions granted to jobsDatadog’s GitHub organization defines default permissions for the Your repository may require different setup, but please consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromission. You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. Please note they can be defined at the job or the workflow level. |
||
|
||
on: | ||
schedule: | ||
# This, will run every weekday at 2pm UTC | ||
- cron: '0 14 * * 1,2,3,4,5' | ||
|
||
jobs: | ||
outdated-integrations: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag (...read more)Pin third party actions by hash, or at least by tag for trusted sourcesWhen using a third party action, one needs to provide its GitHub path ( No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state. Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks. Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🟠 Code VulnerabilityWorkflow depends on a GitHub actions pinned by tag (...read more)Pin third party actions by hash, or at least by tag for trusted sourcesWhen using a third party action, one needs to provide its GitHub path ( No pinned git ref means the action will use the latest commit of the default branch each time it runs, eventually running newer versions of the code that were not audited by Datadog. Specifying a git tag is better, but since they are not immutable, using a full length hash is recommended to make sure the action content is actually frozen to some reviewed state. Be careful however, as even pinning an action by hash can be circumvented by attackers still. For instance, if an action relies on a Docker image which is itself not pinned to a digest, it becomes possible to alter its behaviour through the Docker image without actually changing its hash. You can learn more about this kind of attacks in Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows. Pinning actions by hash is still a good first line of defense against supply chain attacks. Additionally, pinning by hash or tag means the action won’t benefit from newer version updates if any, including eventual security patches. Make sure to regularly check if newer versions for an action you use are available. For actions coming from a very trustworthy source, it can make sense to use a laxer pinning policy to benefit from updates as soon as possible. |
||
- uses: ./.github/actions/node/setup | ||
- run: yarn install | ||
- run: yarn outdated-integrations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Check the permissions granted to jobs
Datadog’s GitHub organization defines default permissions for the
GITHUB_TOKEN
to be restricted (contents:read
,metadata:read
andpackages:read
).Your repository may require different setup, but please consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromission.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. Please note they can be defined at the job or the workflow level.