lupyuen commented on issue #18359: URL: https://github.com/apache/nuttx/issues/18359#issuecomment-3874535423
_[ASF Infra recommends](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=321719166#GitHubActionsSecurity-Dangerousworkflows) that we run Zizmor to scan for Security Issues in GitHub Actions. What does it say?_ We ran [Zizmor](https://woodruffw.github.io/zizmor/) on NuttX Repo, here's the log... https://gist.github.com/lupyuen/bb047b82c7c13789272d2ee4a6a5d913 - High Severity Issues: 51 / Medium: 3 / Low: 9 / Info: 18 - High Severity Issues are easily auto-fixable by Zizmor: ```text error[template-injection]: code injection via template expansion --> nuttx/.github/actions/free-disk-space/action.yaml:134:19 134 | if [[ ${{ inputs.android }} == 'true' ]]; then | ^^^^^^^^^^^^^^ may expand into attacker-controllable code = note: this finding has an auto-fix ``` - Also High Severity: We should Pin our GitHub Actions to a Specific Git Hash (instead of Version Number): ```text error[unpinned-uses]: unpinned action reference --> nuttx/.github/workflows/build.yml:98:15 98 | uses: actions/checkout@v6 | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) ``` - pull_request_target is flagged as Medium Severity, which we're tackling now ```text error[dangerous-triggers]: use of fundamentally insecure workflow trigger --> nuttx/.github/workflows/labeler.yml:16:1 16 | / on: 17 | | - pull_request_target | |_______________________^ pull_request_target is almost always used insecurely = note: audit confidence → Medium ``` - Other Medium Severity Issues are easily auto-fixable by Zizmor: ```text warning[template-injection]: code injection via template expansion --> nuttx/.github/workflows/build.yml:345:48 345 | ./cibuild.sh -i -c -A -R testlist/${{matrix.boards}}.dat | ^^^^^^^^^^^^^ may expand into attacker-controllable code = note: audit confidence → Medium = note: this finding has an auto-fix ``` - We'll skip Low Severity for now -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
