mismatchedshatag

package
v0.8.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2026 License: MIT Imports: 8 Imported by: 0

README

mismatched-sha-tag

Checks that a commit SHA pinned in an action reference matches the tag written in its inline comment.

Risk

When an action is pinned to a commit SHA with a tag comment, the comment is the primary signal reviewers use to assess which version — and which security posture — is in use. If the SHA and tag drift apart, the comment becomes a false assertion about the code being executed.

This mismatch undermines the security value of SHA pinning. A reviewer who sees # v6.0.2 may approve the workflow believing a vetted release is in use, while the actual SHA points to a different — potentially vulnerable or unaudited — commit. In a supply chain attack scenario, an attacker who gains write access to a workflow file could change the SHA to point to malicious code while leaving the tag comment unchanged to avoid detection during code review.

Examples

Bad

steps:
  # The SHA does not belong to v6.0.2 — it may be outdated or incorrect.
  - uses: actions/checkout@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 # v6.0.2

Good

steps:
  # The SHA matches the v6.0.2 tag on the actions/checkout repository.
  - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Pin to the full 40-character commit SHA and add the corresponding tag as an inline comment. This rule resolves the tag via the GitHub API and verifies that the two stay in sync.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Rule 

type Rule struct {
	Resolver TagResolver
}

func (*Rule) CheckAction 

func (r *Rule) CheckAction(mapping workflow.ActionMapping) []*diagnostic.Error

func (*Rule) CheckWorkflow 

func (r *Rule) CheckWorkflow(mapping workflow.WorkflowMapping) []*diagnostic.Error

func (*Rule) Fix added in v0.3.0 

func (r *Rule) Fix() string

func (*Rule) ID 

func (r *Rule) ID() string

func (*Rule) Online 

func (r *Rule) Online() bool

func (*Rule) Required 

func (r *Rule) Required() bool

func (*Rule) Why added in v0.3.0 

func (r *Rule) Why() string

type TagResolver 

type TagResolver interface {
	ResolveTagSHA(ctx context.Context, owner, repo, tag string) (string, error)
}

TagResolver resolves a git tag to its commit SHA via the GitHub API. The returned SHA must be a full 40-character lowercase hexadecimal commit hash.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.