impostorcommit

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 30, 2026 License: MIT Imports: 5 Imported by: 0

README

impostor-commit

Checks that a commit SHA pinned in an action reference is reachable from a branch or tag in the referenced repository.

Risk

GitHub shares object storage across forks. An attacker can create a malicious commit in a fork of a popular action and reference it using the original repository's namespace (e.g., actions/checkout@<fork-commit-sha>). The SHA resolves successfully, but the executed code was never part of the original repository's history. This is known as an "impostor commit" attack.

Because the uses line looks identical to a legitimate SHA-pinned reference, this attack is difficult to detect during code review.

Examples

Bad

steps:
  # This SHA exists only in a fork — it was never merged into actions/checkout.
  - uses: actions/checkout@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Good

steps:
  # This SHA belongs to the v6.0.2 tag on the actions/checkout repository.
  - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Pin to a commit SHA that is reachable from a branch or tag in the action's repository. This rule verifies reachability via the GitHub API. It checks both workflow files and action metadata files (composite action steps).

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CommitVerifier 

type CommitVerifier interface {
	VerifyCommit(ctx context.Context, owner, repo, sha string) (bool, error)
}

CommitVerifier checks whether a commit SHA is reachable from any branch or tag in the given repository.

type Rule 

type Rule struct {
	Verifier CommitVerifier
}

func (*Rule) CheckAction 

func (r *Rule) CheckAction(mapping workflow.ActionMapping) []*diagnostic.Error

func (*Rule) CheckWorkflow 

func (r *Rule) CheckWorkflow(mapping workflow.WorkflowMapping) []*diagnostic.Error

func (*Rule) Fix added in v0.3.0 

func (r *Rule) Fix() string

func (*Rule) ID 

func (r *Rule) ID() string

func (*Rule) Online 

func (r *Rule) Online() bool

func (*Rule) Required 

func (r *Rule) Required() bool

func (*Rule) Why added in v0.3.0 

func (r *Rule) Why() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.