Skip to content

Commit

Permalink
pin dependency image to SHA256 digest (#22)
Browse files Browse the repository at this point in the history 
Docker-based GitHub actions are built every time [1]. This means that if
the `nnichols/clojure-dependency-update-action:latest` image is
compromised, it could result in arbitrary code execution. Pinning the
image to its current SHA256 digest [2] removes that attack vector.

[1] https://docs.github.com/en/actions/creating-actions/about-custom-actions#docker-container-actions
[2] https://hub.docker.com/layers/nnichols/clojure-dependency-update-action/latest/images/sha256-06c47e969b386796a09f296d80af705c1d8b578cae41ebe018b08a0f657d4081?context=explore
  • Loading branch information
@listx
listx authored Aug 12, 2024
1 parent 179b3d1 commit 8c317ef
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM nnichols/clojure-dependency-update-action
FROM nnichols/clojure-dependency-update-action@sha256:06c47e969b386796a09f296d80af705c1d8b578cae41ebe018b08a0f657d4081

COPY dependency-check.sh /dependency-check.sh

Expand Down

0 comments on commit 8c317ef

Please sign in to comment.