Skip to content

[oblt-aw][security] Fix SEC-032 actionlint installer integrity verification #1068

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
github-actions wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

[oblt-aw][security] Fix SEC-032 actionlint installer integrity verification #1068

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/workflows/gh-aw-security-detector.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ Single job **scan**:

1. Checks out the **calling** repository into `target/` (the consumer workspace to scan).
2. Checks out **[elastic/oblt-aw](https://github.com/elastic/oblt-aw)** at ref `main` into `_oblt-aw/` so host scripts exist on the runner; detector scripts are not copied into consumer repos.
3. Installs **shellcheck**, **jq**, **curl**, **pip**, **actionlint** (pinned via upstream download script), **zizmor**, and **semgrep** (registry rules downloaded on first use).
3. Installs **shellcheck**, **jq**, **curl**, **pip**, **actionlint** (download script pinned to commit and verified with SHA-256 before execution), **zizmor**, and **semgrep** (registry rules downloaded on first use).
4. Optionally uses **actions/setup-node** when `target/**/package-lock.json` exists so **npm audit** can run for SEC-033.
5. Runs `_oblt-aw/scripts/obs/security-scan.sh` with argument `target`, which emits findings as `file|line|rule|severity|message` (actionlint + zizmor + semgrep + shellcheck + custom heuristics + npm audit, with per-file/line deduplication).
6. When there are findings, creates an ephemeral token then runs `_oblt-aw/scripts/obs/create-security-issues.sh` to open issues in **the caller** (`github.repository`) with label `oblt-aw/detector/security`. Findings are **grouped by rule (SEC id)**: **one issue per rule** per run, not one issue per line. The issue **title** is `[oblt-aw][security] <SEC-xxx> — findings (<YYYY-MM-DD>)`, where the date is the analysis date (UTC calendar day; the workflow sets `SECURITY_SCAN_DATE` when creating issues). The **body** lists every occurrence for that rule (file, line, severity, message). The current issue-creation step does **not** emit `oblt-aw/severity/*` labels; severity is represented in the issue body and mapped in [Security Scanning Ruleset → Severity Levels](security-scanning-ruleset.md#severity-levels).
Expand Down
8 changes: 7 additions & 1 deletion scripts/obs/install_security_detector_tools.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,12 @@ mkdir -p "$HOME/bin/actionlint"
cd "$HOME/bin/actionlint"
# Installer script pinned to commit (v1.7.11 tag); bump SHA when upgrading actionlint.
ACTIONLINT_DOWNLOAD_SCRIPT_SHA=393031adb9afb225ee52ae2ccd7a5af5525e03e8
ACTIONLINT_DOWNLOAD_SCRIPT_SHA256=6ea5eefacaea8c73b9ef8ea6947c2946b5d7d8af24b0f3e629ac7b42e17a7dfb
ACTIONLINT_VERSION=1.7.11
bash <(curl -fsSL "https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_DOWNLOAD_SCRIPT_SHA}/scripts/download-actionlint.bash") "${ACTIONLINT_VERSION}"
curl -fsSL \
"https://raw.githubusercontent.com/rhysd/actionlint/${ACTIONLINT_DOWNLOAD_SCRIPT_SHA}/scripts/download-actionlint.bash" \
-o download-actionlint.bash
echo "${ACTIONLINT_DOWNLOAD_SCRIPT_SHA256} download-actionlint.bash" | sha256sum -c -
bash ./download-actionlint.bash "${ACTIONLINT_VERSION}"
rm -f ./download-actionlint.bash
echo "$HOME/bin/actionlint" >> "$GITHUB_PATH"