Add immutable action check

.github/workflows/code-review.yml

@@ -20,4 +20,4 @@ jobs:
             int.api.stepsecurity.io:443
 
       - name: Code Review
-        uses: step-security/ai-codewise@int
+        uses: step-security/ai-codewise@ab9fe138367d6094b2df7f8469ddc2c5a79c9cf4 # int

.github/workflows/kb-test.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1
+      - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
         with:
           allowed-endpoints: >
             api.github.com:443

.github/workflows/release.yml

@@ -33,7 +33,7 @@ jobs:
         env: 
           PAT: ${{ secrets.PAT }} 
 
-      - uses: step-security/wait-for-secrets@1204ba02d7a707c4ef2e906d2ea1e36eebd9bbd2
+      - uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef
         id: wait-for-secrets
         with:
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

knowledge-base/actions/homebrew/actions/remove-disabled-packages/action-security.yml

@@ -0,0 +1,2 @@
+name: Remove disabled packages # Homebrew/actions/remove-disabled-packages
+# GITHUB_TOKEN not used

remediation/dependabot/dependabotconfig.go

@@ -105,7 +105,7 @@ func UpdateDependabotConfig(dependabotConfig string) (*UpdateDependabotConfigRes
 	for _, Update := range updateDependabotConfigRequest.Ecosystems {
 		updateAlreadyExist := false
 		for _, update := range configMetadata.Updates {
-			if update.PackageEcosystem == Update.PackageEcosystem && update.Directory == Update.Directory {
+			if update.PackageEcosystem == Update.PackageEcosystem && (update.Directory == Update.Directory || update.Directory == Update.Directory+"/") {
 				updateAlreadyExist = true
 				break
 			}

remediation/dependabot/dependabotconfig_test.go

@@ -48,6 +48,11 @@ func TestConfigDependabotFile(t *testing.T) {
 			Ecosystems: []Ecosystem{{"npm", "/sample", "daily"}},
 			isChanged:  true,
 		},
+		{
+			fileName:   "extra-slash.yml",
+			Ecosystems: []Ecosystem{{"npm", "/sample", "daily"}},
+			isChanged:  false,
+		},
 	}
 
 	for _, test := range tests {

remediation/workflow/metadata/actionmetadata.go

@@ -30,6 +30,7 @@ type Step struct {
 type Job struct {
 	Permissions Permissions `yaml:"permissions"`
 	Uses        string      `yaml:"uses"`
+	Env         Env         `yaml:"env"`
 	// RunsOn      []string    `yaml:"runs-on"`
 	Steps []Step `yaml:"steps"`
 }

remediation/workflow/metadata/actionmetadata_test.go

@@ -181,6 +181,7 @@ func TestKnowledgeBase(t *testing.T) {
 
 func doesActionRepoExist(filePath string) bool {
 	splitOnSlash := strings.Split(filePath, "/")
+
 	owner := splitOnSlash[5]
 	repo := splitOnSlash[6]
 

remediation/workflow/permissions/permissions.go

@@ -38,6 +38,7 @@ const errorMissingAction = "KnownIssue-4: Action %s is not in the knowledge base
 const errorAlreadyHasPermissions = "KnownIssue-5: Permissions were not added to the job since it already had permissions defined"
 const errorDockerAction = "KnownIssue-6: Action %s is a docker action which uses Github token. Docker actions that uses token are not supported"
 const errorReusableWorkflow = "KnownIssue-7: Action %s is a reusable workflow. Reusable workflows are not supported as of now."
+const errorGithubTokenInJobEnv = "KnownIssue-8: Permissions were not added to the jobs since it has GITHUB_TOKEN in job level env variable"
 const errorIncorrectYaml = "Unable to parse the YAML workflow file"
 
 // To avoid a typo while adding the permissions
@@ -78,6 +79,15 @@ func alreadyHasWorkflowPermissions(workflow metadata.Workflow) bool {
 	return workflow.Permissions.IsSet
 }
 
+func githubTokenInJobLevelEnv(job metadata.Job) bool {
+	for _, envValue := range job.Env {
+		if strings.Contains(envValue, "secrets.GITHUB_TOKEN") || strings.Contains(envValue, "github.token") {
+			return true
+		}
+	}
+	return false
+}
+
 func AddWorkflowLevelPermissions(inputYaml string, addProjectComment bool) (string, error) {
 	workflow := metadata.Workflow{}
 
@@ -177,6 +187,12 @@ func AddJobLevelPermissions(inputYaml string) (*SecureWorkflowReponse, error) {
 			continue
 		}
 
+		if githubTokenInJobLevelEnv(job) {
+			fixWorkflowPermsReponse.HasErrors = true
+			errors[jobName] = append(errors[jobName], errorGithubTokenInJobEnv)
+			continue
+		}
+
 		if metadata.IsCallingReusableWorkflow(job) {
 			fixWorkflowPermsReponse.HasErrors = true
 			errors[jobName] = append(errors[jobName], fmt.Sprintf(errorReusableWorkflow, job.Uses))

remediation/workflow/pin/action_image_manifest.go

@@ -0,0 +1,112 @@
+package pin
+
+import (
+	"encoding/json"
+	"fmt"
+	"regexp"
+	"strings"
+
+	"net/http"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	githubImmutableActionArtifactType = "application/vnd.github.actions.package.v1+json"
+	semanticTagRegex                  = regexp.MustCompile(`v[0-9]+\.[0-9]+\.[0-9]+$`)
+)
+
+type ociManifest struct {
+	ArtifactType string `json:"artifactType"`
+}
+
+// isImmutableAction checks if the action is an immutable action or not
+// It queries the OCI manifest for the action and checks if the artifact type is "application/vnd.github.actions.package.v1+json"
+//
+// Example usage:
+//
+//	# Immutable action (returns true)
+//	isImmutableAction("actions/[email protected]")
+//
+//	# Non-Immutable action (returns false)
+//	isImmutableAction("actions/[email protected]")
+//
+// REF - https://github.com/actions/publish-immutable-action/issues/216#issuecomment-2549914784
+func IsImmutableAction(action string) bool {
+
+	artifactType, err := getOCIImageArtifactTypeForGhAction(action)
+	if err != nil {
+		// log the error
+		logrus.WithFields(logrus.Fields{"action": action}).WithError(err).Error("error in getting OCI manifest for image")
+		return false
+	}
+
+	if artifactType == githubImmutableActionArtifactType {
+		return true
+	}
+	return false
+
+}
+
+// getOCIImageArtifactTypeForGhAction retrieves the artifact type from a GitHub Action's OCI manifest.
+// This function is used to determine if an action is immutable by checking its artifact type.
+//
+// Example usage:
+//
+//	# Immutable action (returns "application/vnd.github.actions.package.v1+json", nil)
+//	artifactType, err := getOCIImageArtifactTypeForGhAction("actions/[email protected]")
+//
+// Returns:
+//   - artifactType: The artifact type string from the OCI manifest
+//   - error: An error if the action format is invalid or if there's a problem retrieving the manifest
+func getOCIImageArtifactTypeForGhAction(action string) (string, error) {
+
+	// Split the action into parts (e.g., "actions/checkout@v2" -> ["actions/checkout", "v2"])
+	parts := strings.Split(action, "@")
+	if len(parts) != 2 {
+		return "", fmt.Errorf("invalid action format")
+	}
+
+	// convert v1.x.x to 1.x.x which is
+	// use regexp to match tag version format and replace v in prefix
+	// as immutable actions image tag is in format 1.x.x (without v prefix)
+	// REF - https://github.com/actions/publish-immutable-action/issues/216#issuecomment-2549914784
+	if semanticTagRegex.MatchString(parts[1]) {
+		// v1.x.x -> 1.x.x
+		parts[1] = strings.TrimPrefix(parts[1], "v")
+	}
+
+	// Convert GitHub action to GHCR image reference using proper OCI reference format
+	image := fmt.Sprintf("ghcr.io/%s:%s", parts[0], parts[1])
+	imageManifest, err := getOCIManifestForImage(image)
+	if err != nil {
+		return "", err
+	}
+
+	var ociManifest ociManifest
+	err = json.Unmarshal([]byte(imageManifest), &ociManifest)
+	if err != nil {
+		return "", err
+	}
+	return ociManifest.ArtifactType, nil
+}
+
+// getOCIManifestForImage retrieves the artifact type from the OCI image manifest
+func getOCIManifestForImage(imageRef string) (string, error) {
+
+	// Parse the image reference
+	ref, err := name.ParseReference(imageRef)
+	if err != nil {
+		return "", fmt.Errorf("error parsing reference: %v", err)
+	}
+
+	// Get the image manifest
+	desc, err := remote.Get(ref, remote.WithTransport(http.DefaultTransport))
+	if err != nil {
+		return "", fmt.Errorf("error getting manifest: %v", err)
+	}
+
+	return string(desc.Manifest), nil
+}

remediation/workflow/pin/action_image_manifest_test.go

@@ -0,0 +1,163 @@
+package pin
+
+import (
+	"crypto/tls"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+type customTransport struct {
+	base    http.RoundTripper
+	baseURL string
+}
+
+func (t *customTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if strings.Contains(req.URL.Host, "ghcr.io") {
+		req2 := req.Clone(req.Context())
+		req2.URL.Scheme = "https"
+		req2.URL.Host = strings.TrimPrefix(t.baseURL, "https://")
+		return t.base.RoundTrip(req2)
+	}
+	return t.base.RoundTrip(req)
+}
+
+func createGhesTestServer(t *testing.T) *httptest.Server {
+	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("Content-Type", "application/json")
+
+		if !strings.Contains(r.Host, "ghcr.io") {
+			w.WriteHeader(http.StatusNotFound)
+			return
+		}
+		// Mock manifest endpoints
+		switch r.URL.Path {
+
+		case "/v2/": // simulate ping request
+			w.WriteHeader(http.StatusOK)
+
+		case "/token":
+			// for immutable actions, since image will be present in registry...it returns 200 OK with token
+			// otherwise it returns 403 Forbidden
+			scope := r.URL.Query().Get("scope")
+			switch scope {
+			case "repository:actions/checkout:pull":
+				fallthrough
+			case "repository:step-security/wait-for-secrets:pull":
+
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte(`{"token": "test-token", "access_token": "test-token"}`))
+			default:
+				w.WriteHeader(http.StatusForbidden)
+				w.Write([]byte(`{"errors": [{"code": "DENIED", "message": "requested access to the resource is denied"}]}`))
+			}
+
+		case "/v2/actions/checkout/manifests/4.2.2":
+			fallthrough
+		case "/v2/actions/checkout/manifests/1.2.0":
+			fallthrough
+		case "/v2/step-security/wait-for-secrets/manifests/1.2.0":
+			w.Write(readHttpResponseForAction(t, r.URL.Path))
+		case "/v2/actions/checkout/manifests/1.2.3": // since this version doesn't exist
+			fallthrough
+		default:
+			w.WriteHeader(http.StatusNotFound)
+			w.Write(readHttpResponseForAction(t, "default"))
+		}
+	}))
+}
+
+func Test_isImmutableAction(t *testing.T) {
+	// Create test server that mocks GitHub Container Registry
+	server := createGhesTestServer(t)
+	defer server.Close()
+
+	// Create a custom client that redirects ghcr.io to our test server
+	originalClient := http.DefaultClient
+	http.DefaultClient = &http.Client{
+		Transport: &customTransport{
+			base: &http.Transport{
+				TLSClientConfig: &tls.Config{
+					InsecureSkipVerify: true,
+				},
+			},
+			baseURL: server.URL,
+		},
+	}
+
+	// update default transport
+	OriginalTransport := http.DefaultTransport
+	http.DefaultTransport = http.DefaultClient.Transport
+
+	defer func() {
+		http.DefaultClient = originalClient
+		http.DefaultTransport = OriginalTransport
+	}()
+
+	tests := []struct {
+		name   string
+		action string
+		want   bool
+	}{
+		{
+			name:   "immutable action - 1",
+			action: "actions/[email protected]",
+			want:   true,
+		},
+		{
+			name:   "immutable action - 2",
+			action: "step-security/[email protected]",
+			want:   true,
+		},
+		{
+			name:   "non immutable action(valid action)",
+			action: "sailikhith-stepsecurity/[email protected]",
+			want:   false,
+		},
+		{
+			name:   "non immutable action(invalid action)",
+			action: "sailikhith-stepsecurity/[email protected]",
+			want:   false,
+		},
+		{
+			name:   " action with release tag doesn't exist",
+			action: "actions/[email protected]",
+			want:   false,
+		},
+		{
+			name:   "invalid action format",
+			action: "invalid-format",
+			want:   false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+
+			got := IsImmutableAction(tt.action)
+			if got != tt.want {
+				t.Errorf("isImmutableAction() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func readHttpResponseForAction(t *testing.T, actionPath string) []byte {
+	// remove v2 prefix from action path
+	actionPath = strings.TrimPrefix(actionPath, "/v2/")
+
+	fileName := strings.ReplaceAll(actionPath, "/", "-") + ".json"
+	testFilesDir := "../../../testfiles/pinactions/immutableActionResponses/"
+	respFilePath := filepath.Join(testFilesDir, fileName)
+
+	resp, err := ioutil.ReadFile(respFilePath)
+	if err != nil {
+		t.Fatalf("error reading test file:%v", err)
+	}
+
+	return resp
+}