use actioncommit map for pinnig

Author: Balijepalli Vamshi Krishna

remediation/workflow/hardenrunner/addaction.go

@@ -51,7 +51,7 @@ func AddAction(inputYaml, action string, pinActions, pinToImmutable bool, skipCo
 	}
 
 	if updated && pinActions {
-		out, _ = pin.PinAction(action, out, nil, pinToImmutable)
+		out, _ = pin.PinAction(action, out, nil, pinToImmutable, nil)
 	}
 
 	return out, updated, nil

remediation/workflow/permissions/permissions.go

@@ -25,6 +25,7 @@ type SecureWorkflowReponse struct {
 	WorkflowFetchError     bool
 	JobErrors              []JobError
 	MissingActions         []string
+	UsedActionCommitMap    bool
 }
 
 type JobError struct {

remediation/workflow/pin/pinactions.go

@@ -14,7 +14,7 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool, error) {
+func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
@@ -29,7 +29,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = PinAction(step.Uses, out, exemptedActions, pinToImmutable)
+				out, localUpdated = PinAction(step.Uses, out, exemptedActions, pinToImmutable, actionCommitMap)
 				updated = updated || localUpdated
 			}
 		}
@@ -38,7 +38,7 @@ func PinActions(inputYaml string, exemptedActions []string, pinToImmutable bool)
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool) (string, bool) {
+func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutable bool, actionCommitMap map[string]string) (string, bool) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -69,15 +69,29 @@ func PinAction(action, inputYaml string, exemptedActions []string, pinToImmutabl
 	tc := oauth2.NewClient(ctx, ts)
 
 	client := github.NewClient(tc)
+	var commitSHA string
+	var err error
 
-	commitSHA, _, err := client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
-	if err != nil {
-		return inputYaml, updated
-	}
+	if actionCommitMap != nil && actionCommitMap[action] != "" {
+		actionWithCommit := actionCommitMap[action]
+		commitSHA = strings.Split(actionWithCommit, "@")[1]
+
+		if !semanticTagRegex.MatchString(tagOrBranch) {
+			tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+			if err != nil {
+				return inputYaml, updated
+			}
+		}
+	} else {
+		commitSHA, _, err = client.Repositories.GetCommitSHA1(ctx, owner, repo, tagOrBranch, "")
+		if err != nil {
+			return inputYaml, updated
+		}
+		tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+		if err != nil {
+			return inputYaml, updated
+		}
 
-	tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
-	if err != nil {
-		return inputYaml, updated
 	}
 
 	// pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)

remediation/workflow/pin/pinactions_test.go

@@ -239,6 +239,21 @@ func TestPinActions(t *testing.T) {
 			}
 		})
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans-vamshi/close-issue/commits/v1",
+		httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans-vamshi/close-issue/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v1.0.4",
+					"object": {
+					"sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam",
+					"type": "commit"
+					}
+				}
+			]`))
+
 	// Mock manifest endpoints for specific versions and commit hashes
 	manifestResponders := []string{
 		// the following list will contain the list of actions with versions
@@ -296,15 +311,28 @@ func TestPinActions(t *testing.T) {
 		{fileName: "exemptaction.yml", wantUpdated: true, exemptedActions: []string{"actions/checkout", "rohith/*"}, pinToImmutable: true},
 		{fileName: "donotpintoimmutable.yml", wantUpdated: true, pinToImmutable: false},
 		{fileName: "invertedcommas.yml", wantUpdated: true, pinToImmutable: false},
+		{fileName: "pinusingmap.yml", wantUpdated: true, pinToImmutable: true},
 	}
 	for _, tt := range tests {
+
+		var output string
+		var gotUpdated bool
+		var err error
+		var actionCommitMap map[string]string
+
 		input, err := ioutil.ReadFile(path.Join(inputDirectory, tt.fileName))
 
 		if err != nil {
 			log.Fatal(err)
 		}
 
-		output, gotUpdated, err := PinActions(string(input), tt.exemptedActions, tt.pinToImmutable)
+		if tt.fileName == "pinusingmap.yml" {
+			actionCommitMap = map[string]string{
+				"peter-evans-vamshi/close-issue@v1": "peter-evans-vamshi/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam",
+			}
+		}
+
+		output, gotUpdated, err = PinActions(string(input), tt.exemptedActions, tt.pinToImmutable, actionCommitMap)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}

remediation/workflow/secureworkflow.go

@@ -18,13 +18,13 @@ const (
 )
 
 func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI, params ...interface{}) (*permissions.SecureWorkflowReponse, error) {
-	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions := true, true, true, true, false
-	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions := false, false, false, false
+	pinActions, addHardenRunner, addPermissions, addProjectComment, replaceMaintainedActions, useActionCommitMap := true, true, true, true, false, false
+	pinnedActions, addedHardenRunner, addedPermissions, replacedMaintainedActions, usedActionCommitMap := false, false, false, false, false
 	ignoreMissingKBs := false
 	enableLogging := false
 	addEmptyTopLevelPermissions := false
 	skipHardenRunnerForContainers := false
-	exemptedActions, pinToImmutable, maintainedActionsMap := []string{}, false, map[string]string{}
+	exemptedActions, pinToImmutable, maintainedActionsMap, actionCommitMap := []string{}, false, map[string]string{}, map[string]string{}
 
 	if len(params) > 0 {
 		if v, ok := params[0].([]string); ok {
@@ -41,6 +41,11 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 			maintainedActionsMap = v
 		}
 	}
+	if len(params) > 3 {
+		if v, ok := params[3].(map[string]string); ok {
+			actionCommitMap = v
+		}
+	}
 
 	if queryStringParams["pinActions"] == "false" {
 		pinActions = false
@@ -138,12 +143,22 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 		}
 	}
 
+	if useActionCommitMap {
+		if enableLogging {
+			log.Printf("Using action commit map")
+		}
+		secureWorkflowReponse.FinalOutput, usedActionCommitMap, err = pin.PinActions(secureWorkflowReponse.FinalOutput, []string{}, false, actionCommitMap)
+		if err != nil {
+			log.Printf("Error pinning actions using commit map: %v", err)
+			secureWorkflowReponse.HasErrors = true
+		}
+	}
 	if pinActions {
 		if enableLogging {
 			log.Printf("Pinning GitHub Actions")
 		}
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable)
+		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions, pinToImmutable, nil)
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 		if enableLogging {
@@ -174,12 +189,15 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 	secureWorkflowReponse.AddedHardenRunner = addedHardenRunner
 	secureWorkflowReponse.AddedPermissions = addedPermissions
 	secureWorkflowReponse.AddedMaintainedActions = replacedMaintainedActions
+	secureWorkflowReponse.UsedActionCommitMap = usedActionCommitMap
 
 	if enableLogging {
-		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, HasErrors: %v",
+		log.Printf("SecureWorkflow complete - PinnedActions: %v, AddedHardenRunner: %v, AddedPermissions: %v, AddedMaintainedActions: %v, UsedActionCommitMap: %v, HasErrors: %v",
 			secureWorkflowReponse.PinnedActions,
 			secureWorkflowReponse.AddedHardenRunner,
 			secureWorkflowReponse.AddedPermissions,
+			secureWorkflowReponse.AddedMaintainedActions,
+			secureWorkflowReponse.UsedActionCommitMap,
 			secureWorkflowReponse.HasErrors)
 	}
 

testfiles/pinactions/input/pinusingmap.yml

@@ -0,0 +1,22 @@
+name: "close issue"
+
+on:
+  push:
+  
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans-vamshi/close-issue@v1
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-evans/close-issue@v1
+      with:
+       issue-number: 1
+       comment: Auto-closing issue

testfiles/pinactions/output/pinusingmap.yml

@@ -0,0 +1,22 @@
+name: "close issue"
+
+on:
+  push:
+  
+
+jobs:
+  closeissue:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Close Issue
+      uses: peter-evans-vamshi/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53vam # v1.0.4
+      with:
+       issue-number: 1
+       comment: Auto-closing issue
+
+    - name: Close Issue
+      uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
+      with:
+       issue-number: 1
+       comment: Auto-closing issue