skip pinning for actions present in exemption list

Author: shubham-stepsecurity

main.go

@@ -128,7 +128,7 @@ func (h Handler) Invoke(ctx context.Context, req []byte) ([]byte, error) {
 				inputYaml = httpRequest.Body
 			}
 
-			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, inputYaml, dynamoDbSvc)
+			fixResponse, err := workflow.SecureWorkflow(httpRequest.QueryStringParameters, nil, inputYaml, dynamoDbSvc)
 
 			if err != nil {
 				response = events.APIGatewayProxyResponse{

remediation/workflow/hardenrunner/addaction.go

@@ -47,7 +47,7 @@ func AddAction(inputYaml, action string, pinActions bool) (string, bool, error)
 	}
 
 	if updated && pinActions {
-		out, _ = pin.PinAction(action, out)
+		out, _ = pin.PinAction(action, out, nil)
 	}
 
 	return out, updated, nil

remediation/workflow/pin/pinactions.go

@@ -13,9 +13,14 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
-func PinActions(inputYaml string) (string, bool, error) {
+func PinActions(inputYaml string, exemptedActions []string) (string, bool, error) {
 	workflow := metadata.Workflow{}
 	updated := false
+	exemptedActionsMap := make(map[string]bool)
+	for _, exemptedAction := range exemptedActions {
+		exemptedAction = strings.TrimRight(exemptedAction, "/")
+		exemptedActionsMap[exemptedAction] = true
+	}
 	err := yaml.Unmarshal([]byte(inputYaml), &workflow)
 	if err != nil {
 		return inputYaml, updated, fmt.Errorf("unable to parse yaml %v", err)
@@ -28,7 +33,7 @@ func PinActions(inputYaml string) (string, bool, error) {
 		for _, step := range job.Steps {
 			if len(step.Uses) > 0 {
 				localUpdated := false
-				out, localUpdated = PinAction(step.Uses, out)
+				out, localUpdated = PinAction(step.Uses, out, exemptedActionsMap)
 				updated = updated || localUpdated
 			}
 		}
@@ -37,7 +42,7 @@ func PinActions(inputYaml string) (string, bool, error) {
 	return out, updated, nil
 }
 
-func PinAction(action, inputYaml string) (string, bool) {
+func PinAction(action, inputYaml string, exemptedActionsMap map[string]bool) (string, bool) {
 
 	updated := false
 	if !strings.Contains(action, "@") || strings.HasPrefix(action, "docker://") {
@@ -50,6 +55,11 @@ func PinAction(action, inputYaml string) (string, bool) {
 	leftOfAt := strings.Split(action, "@")
 	tagOrBranch := leftOfAt[1]
 
+	// skip pinning for exempted actions
+	if exemptedActionsMap[leftOfAt[0]] {
+		return inputYaml, updated
+	}
+
 	splitOnSlash := strings.Split(leftOfAt[0], "/")
 	owner := splitOnSlash[0]
 	repo := splitOnSlash[1]

remediation/workflow/pin/pinactions_test.go

@@ -284,7 +284,7 @@ func TestPinActions(t *testing.T) {
 			log.Fatal(err)
 		}
 
-		output, gotUpdated, err := PinActions(string(input))
+		output, gotUpdated, err := PinActions(string(input), nil)
 		if tt.wantUpdated != gotUpdated {
 			t.Errorf("test failed wantUpdated %v did not match gotUpdated %v", tt.wantUpdated, gotUpdated)
 		}

remediation/workflow/secureworkflow.go

@@ -13,7 +13,7 @@ const (
 	HardenRunnerActionName        = "Harden Runner"
 )
 
-func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc dynamodbiface.DynamoDBAPI) (*permissions.SecureWorkflowReponse, error) {
+func SecureWorkflow(queryStringParams map[string]string, exemptedActions []string, inputYaml string, svc dynamodbiface.DynamoDBAPI) (*permissions.SecureWorkflowReponse, error) {
 	pinActions, addHardenRunner, addPermissions, addProjectComment := true, true, true, true
 	pinnedActions, addedHardenRunner, addedPermissions := false, false, false
 	ignoreMissingKBs := false
@@ -68,7 +68,7 @@ func SecureWorkflow(queryStringParams map[string]string, inputYaml string, svc d
 
 	if pinActions {
 		pinnedAction, pinnedDocker := false, false
-		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput)
+		secureWorkflowReponse.FinalOutput, pinnedAction, _ = pin.PinActions(secureWorkflowReponse.FinalOutput, exemptedActions)
 		secureWorkflowReponse.FinalOutput, pinnedDocker, _ = pin.PinDocker(secureWorkflowReponse.FinalOutput)
 		pinnedActions = pinnedAction || pinnedDocker
 	}

remediation/workflow/secureworkflow_test.go

@@ -148,7 +148,7 @@ func TestSecureWorkflow(t *testing.T) {
 		}
 		queryParams["addProjectComment"] = "false"
 
-		output, err := SecureWorkflow(queryParams, string(input), &mockDynamoDBClient{})
+		output, err := SecureWorkflow(queryParams, nil, string(input), &mockDynamoDBClient{})
 
 		if err != nil {
 			t.Errorf("Error not expected")