New rule: brave-third-party-action-not-pinned-to-commit-sha.yaml

Fixes: #309
brave · Aug 29, 2023 · 485973f · 485973f
1 parent bb574f9
commit 485973f
Show file tree

Hide file tree

Showing 5 changed files with 125 additions and 3 deletions.
diff --git a/.github/workflows/semgrep-self-test.yml b/.github/workflows/semgrep-self-test.yml
@@ -22,7 +22,7 @@ jobs:
       - run: |
           JSON=$(semgrep \
             --disable-version-check --strict --metrics=off --json \
-            $(find assets/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -path "assets/semgrep_rules/generated/*" | sed 's/^/-c /g') \
+            $(find assets/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name '*.test.yml' -not -name '*.test.yaml' -not -path "assets/semgrep_rules/generated/*" | sed 's/^/-c /g') \
             assets/semgrep_rules/{client,services} || true)
           ERRORS=$(echo "$JSON" | jq '.errors' || true)
           BADERRS=$(echo "$ERRORS" | jq '.[] | select(.level == "error")' || true)

diff --git a/assets/reviewdog/reviewdog.yml b/assets/reviewdog/reviewdog.yml
@@ -8,7 +8,7 @@ runner:
           -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
           -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
           -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
-          $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
+          $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
           --metrics=off \
           --quiet \
           $([ -n "${GITHUB_BASE_REF+set}" ] && echo "--baseline-commit origin/${GITHUB_BASE_REF:-main}") \
@@ -36,7 +36,7 @@ runner:
         -c $SCRIPTPATH/semgrep_rules/generated/nonfree/vulns.yaml \
         -c $SCRIPTPATH/semgrep_rules/generated/oss/audit.yaml \
         -c $SCRIPTPATH/semgrep_rules/generated/nonfree/audit.yaml \
-        $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
+        $(find $SCRIPTPATH/semgrep_rules -name '*.yml' -or -name '*.yaml' -not -name "*.test.yml" -not -name "*.test.yaml" -not -path "$SCRIPTPATH/semgrep_rules/generated/*" | sed 's/^/-c /g') \
         --metrics=off \
         --json \
         --quiet \

diff --git a/assets/semgrep_rules/blocklist.txt b/assets/semgrep_rules/blocklist.txt
@@ -22,3 +22,4 @@ https://github.com/0xdea/semgrep-rules/blob/main/c/missing-break-in-switch.yaml
 https://semgrep.dev/r/terraform.aws.security.aws-elb-access-logs-not-enabled.aws-elb-access-logs-not-enabled
 https://github.com/0xdea/semgrep-rules/blob/main/c/mismatched-memory-management-cpp.yaml
 https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
+https://semgrep.dev/r/yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
diff --git a/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.test.yaml b/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.test.yaml
@@ -0,0 +1,74 @@
+on:
+  pull_request_target:
+  pull_request:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: actions/checkout@v2
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: actions/setup-node@master
+      - run: |
+          npm install
+          npm build
+
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: ./.github/actions/do-a-local-action
+        with:
+          arg1: ${{ secrets.supersecret1 }}
+
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: completely/fakeaction@5fd3084fc36e372ff1fff382a39b10d03659f355
+        with:
+          arg2: ${{ secrets.supersecret2 }}
+
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: docker://alpine@sha256:402d21757a03a114d273bbe372fa4b9eca567e8b6c332fa7ebf982b902207242
+
+      # ruleid: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: completely/fakeaction@5fd3084
+        with:
+          arg2: ${{ secrets.supersecret2 }}
+
+      # ruleid: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: fakerepo/comment-on-pr@v1
+        with:
+          message: |
+            Thank you!
+
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: brave-intl/test@v1
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: brave/test@v1
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: brave-experiments/test@v1
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: aws-actions/test@v1
+      # ok: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: github/test@v1
+
+      # ruleid: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: fakerepo/comment-on-pr
+        with:
+          message: |
+            Thank you!
+
+      # ruleid: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: docker://gcr.io/cloud-builders/gradle
+
+      # ruleid: brave-third-party-action-not-pinned-to-commit-sha
+      - uses: docker://alpine:3.8
+
+  build2:
+    name: Build and test using a local workflow
+    # ok: brave-third-party-action-not-pinned-to-commit-sha
+    uses: ./.github/workflows/use_a_local_workflow.yml@master
+    secrets: inherit
+    with:
+      examplearg: true
diff --git a/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml b/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml
@@ -0,0 +1,47 @@
+rules:
+  - id: brave-third-party-action-not-pinned-to-commit-sha
+    patterns:
+      - pattern-inside: "{steps: ...}"
+      - pattern: |
+          uses: "$USES"
+      - metavariable-pattern:
+          metavariable: $USES
+          language: generic
+          patterns:
+            - pattern-not-regex: ^[.]/
+            - pattern-not-regex: ^actions/
+            - pattern-not-regex: ^brave/
+            - pattern-not-regex: ^brave-intl/
+            - pattern-not-regex: ^brave-experiments/
+            - pattern-not-regex: ^github/
+            - pattern-not-regex: ^aws-actions/
+            - pattern-not-regex: "@[0-9a-f]{40}$"
+            - pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$
+    message: An action sourced from a third-party repository on GitHub is not pinned
+      to a full length commit SHA. Pinning an action to a full length commit SHA
+      is currently the only way to use an action as an immutable release.
+      Pinning to a particular SHA helps mitigate the risk of a bad actor adding
+      a backdoor to the action's repository, as they would need to generate a
+      SHA-1 collision for a valid Git object payload.
+    languages:
+      - yaml
+    severity: WARNING
+    metadata:
+      cwe:
+        - "CWE-1357: Reliance on Insufficiently Trustworthy Component"
+      owasp: A06:2021 - Vulnerable and Outdated Components
+      references:
+        - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components
+        - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
+      source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/services/brave-third-party-action-not-pinned-to-commit-sha.yaml      
+      category: security
+      technology:
+        - github-actions
+      subcategory:
+        - vuln
+      likelihood: LOW
+      impact: LOW
+      confidence: HIGH
+      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
+      vulnerability_class:
+        - Other