step-security · varunsh-coder · Nov 21, 2022 · Nov 4, 2022 · Nov 19, 2022 · Nov 21, 2022
diff --git a/remediation/workflow/pin/pinactions.go b/remediation/workflow/pin/pinactions.go
@@ -68,7 +68,12 @@ func pinAction(action, jobName, inputYaml string) (string, bool) {
 		return inputYaml, updated
 	}
 
-	pinnedAction := fmt.Sprintf("%s@%s", leftOfAt[0], commitSHA)
+	tagOrBranch, err = getSemanticVersion(client, owner, repo, tagOrBranch, commitSHA)
+	if err != nil {
+		return inputYaml, updated
+	}
+
+	pinnedAction := fmt.Sprintf("%s@%s # %s", leftOfAt[0], commitSHA, tagOrBranch)
 	updated = !strings.EqualFold(action, pinnedAction)
 	inputYaml = strings.ReplaceAll(inputYaml, action, pinnedAction)
 	return inputYaml, updated
@@ -100,3 +105,33 @@ func isAllHex(s string) bool {
 	}
 	return true
 }
+
+func getSemanticVersion(client *github.Client, owner, repo, tagOrBranch, commitSHA string) (string, error) {
+	tags, _, err := client.Git.ListMatchingRefs(context.Background(), owner, repo, &github.ReferenceListOptions{
+		Ref: fmt.Sprintf("tags/%s.", tagOrBranch),
+		ListOptions: github.ListOptions{
+			PerPage: 100,
+		},
+	})
+	if err != nil {
+		return "", err
+	}
+
+	for i := len(tags) - 1; i >= 0; i-- {
+		tag := strings.TrimPrefix(*tags[i].Ref, "refs/tags/")
+		if *tags[i].Object.Type == "commit" {
+			if commitSHA == *tags[i].Object.SHA {
+				return tag, nil
+			}
+		} else {
+			commitsha, _, err := client.Repositories.GetCommitSHA1(context.Background(), owner, repo, tag, "")
+			if err != nil {
+				return "", err
+			}
+			if commitSHA == commitsha {
+				return tag, nil
+			}
+		}
+	}
+	return tagOrBranch, nil
+}
diff --git a/remediation/workflow/pin/pinactions_test.go b/remediation/workflow/pin/pinactions_test.go
@@ -19,30 +19,158 @@ func TestPinActions(t *testing.T) {
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans/close-issue/commits/v1",
 		httpmock.NewStringResponder(200, `a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/peter-evans/close-issue/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v1.0.3",
+					"object": {
+					"sha": "a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe",
+					"type": "commit"
+					}
+				}
+			]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/master",
 		httpmock.NewStringResponder(200, `61b9e3751b92087fd0b06925ba6dd6314e06f089`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/git/matching-refs/tags/master.",
+		httpmock.NewStringResponder(200, `[]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/elgohr/Publish-Docker-Github-Action/commits/master",
 		httpmock.NewStringResponder(200, `8217e91c0369a5342a4ef2d612de87492410a666`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/elgohr/Publish-Docker-Github-Action/git/matching-refs/tags/master.",
+		httpmock.NewStringResponder(200, `[]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/borales/actions-yarn/commits/v2.3.0",
 		httpmock.NewStringResponder(200, `4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/borales/actions-yarn/git/matching-refs/tags/v2.3.0.",
+		httpmock.NewStringResponder(200, `[]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1",
 		httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+				  "ref": "refs/tags/v1.0.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4wLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.0.0",
+				  "object": {
+					"sha": "af513c7a016048ae468971c52ed77d9562c7c819",
+					"type": "commit",
+					"url": "https://api.github.com/repos/actions/checkout/git/commits/af513c7a016048ae468971c52ed77d9562c7c819"
+				  }
+				},
+				{
+				  "ref": "refs/tags/v1.1.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4xLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.1.0",
+				  "object": {
+					"sha": "ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca",
+					"type": "tag",
+					"url": "https://api.github.com/repos/actions/checkout/git/tags/ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca"
+				  }
+				},
+				{
+				  "ref": "refs/tags/v1.2.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4yLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.2.0",
+				  "object": {
+					"sha": "a2ca40438991a1ab62db1b7cad0fd4e36a2ac254",
+					"type": "tag",
+					"url": "https://api.github.com/repos/actions/checkout/git/tags/a2ca40438991a1ab62db1b7cad0fd4e36a2ac254"
+				  }
+				}
+			  ]`),
+	)
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1.2.0",
+		httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/setup-node/commits/v1",
 		httpmock.NewStringResponder(200, `f1f314fca9dfce2769ece7d933488f076716723e`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/setup-node/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v1.4.6",
+					"object": {
+					  "sha": "f1f314fca9dfce2769ece7d933488f076716723e",
+					  "type": "commit"
+					}
+				  }
+			]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/JS-DevTools/npm-publish/commits/v1",
 		httpmock.NewStringResponder(200, `0f451a94170d1699fd50710966d48fb26194d939`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/JS-DevTools/npm-publish/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v1.4.3",
+					"object": {
+					  "sha": "0f451a94170d1699fd50710966d48fb26194d939",
+					  "type": "commit"
+					}
+				  }
+			]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/brandedoutcast/publish-nuget/commits/v2",
 		httpmock.NewStringResponder(200, `c12b8546b67672ee38ac87bea491ac94a587f7cc`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/brandedoutcast/publish-nuget/git/matching-refs/tags/v2.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v2.5.3",
+					"node_id": "MDM6UmVmMjI4MTk2ODk5OnJlZnMvdGFncy92Mi41LjM=",
+					"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/refs/tags/v2.5.3",
+					"object": {
+					  "sha": "4637c3bdd3fb4c052235299664c57b14c398cbd0",
+					  "type": "commit",
+					  "url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/commits/4637c3bdd3fb4c052235299664c57b14c398cbd0"
+					}
+				},
+				{
+					"ref": "refs/tags/v2.5.4",
+					"node_id": "MDM6UmVmMjI4MTk2ODk5OnJlZnMvdGFncy92Mi41LjQ=",
+					"url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/refs/tags/v2.5.4",
+					"object": {
+					  "sha": "108c10b32aa03efa5f71af6a233dc2e8e32845cb",
+					  "type": "commit",
+					  "url": "https://api.github.com/repos/brandedoutcast/publish-nuget/git/commits/108c10b32aa03efa5f71af6a233dc2e8e32845cb"
+					}
+				},
+				{
+					"ref": "refs/tags/v2.5.5",
+					"object": {
+					  "sha": "c12b8546b67672ee38ac87bea491ac94a587f7cc",
+					  "type": "commit"
+					}
+				}
+			]`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/rohith/publish-nuget/commits/v2",
 		httpmock.NewStringResponder(200, `c12b8546b67672ee38ac87bea491ac94a587f7cc`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/rohith/publish-nuget/git/matching-refs/tags/v2.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v2.5.5",
+					"object": {
+					  "sha": "c12b8546b67672ee38ac87bea491ac94a587f7cc",
+					  "type": "commit"
+					}
+				  }
+			]`))
+
 	tests := []struct {
 		fileName    string
 		wantUpdated bool

diff --git a/remediation/workflow/secureworkflow_test.go b/remediation/workflow/secureworkflow_test.go
@@ -20,12 +20,93 @@ func TestSecureWorkflow(t *testing.T) {
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1",
 		httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/git/matching-refs/tags/v1.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+				  "ref": "refs/tags/v1.0.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4wLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.0.0",
+				  "object": {
+					"sha": "af513c7a016048ae468971c52ed77d9562c7c819",
+					"type": "commit",
+					"url": "https://api.github.com/repos/actions/checkout/git/commits/af513c7a016048ae468971c52ed77d9562c7c819"
+				  }
+				},
+				{
+				  "ref": "refs/tags/v1.1.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4xLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.1.0",
+				  "object": {
+					"sha": "ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca",
+					"type": "tag",
+					"url": "https://api.github.com/repos/actions/checkout/git/tags/ec3afacf7f605c9fc12c70bc1c9e1708ddb99eca"
+				  }
+				},
+				{
+				  "ref": "refs/tags/v1.2.0",
+				  "node_id": "MDM6UmVmMTk3ODE0NjI5OnJlZnMvdGFncy92MS4yLjA=",
+				  "url": "https://api.github.com/repos/actions/checkout/git/refs/tags/v1.2.0",
+				  "object": {
+					"sha": "a2ca40438991a1ab62db1b7cad0fd4e36a2ac254",
+					"type": "tag",
+					"url": "https://api.github.com/repos/actions/checkout/git/tags/a2ca40438991a1ab62db1b7cad0fd4e36a2ac254"
+				  }
+				}
+			  ]`),
+	)
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/actions/checkout/commits/v1.2.0",
+		httpmock.NewStringResponder(200, `544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9`))
+
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/harden-runner/commits/v2",
-		httpmock.NewStringResponder(200, `7206db2ec98c5538323a6d70e51f965d55c11c87`))
+		httpmock.NewStringResponder(200, `ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5`))
+
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/step-security/harden-runner/git/matching-refs/tags/v2.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+				  "ref": "refs/tags/v2.0.0",
+				  "node_id": "REF_kwDOGSuXyrByZWZzL3RhZ3MvdjIuMC4w",
+				  "url": "https://api.github.com/repos/step-security/harden-runner/git/refs/tags/v2.0.0",
+				  "object": {
+					"sha": "ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5",
+					"type": "commit",
+					"url": "https://api.github.com/repos/step-security/harden-runner/git/commits/ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5"
+				  }
+				}
+			  ]`),
+	)
 
 	httpmock.RegisterResponder("GET", "https://api.github.com/repos/github/super-linter/commits/v3",
 		httpmock.NewStringResponder(200, `34b2f8032d759425f6b42ea2e52231b33ae05401`))
 
+	httpmock.RegisterResponder("GET", "https://api.github.com/repos/github/super-linter/git/matching-refs/tags/v3.",
+		httpmock.NewStringResponder(200,
+			`[
+				{
+					"ref": "refs/tags/v3.17.0",
+					"node_id": "MDM6UmVmMjE2NTgxNTY3OnJlZnMvdGFncy92My4xNy4w",
+					"url": "https://api.github.com/repos/github/super-linter/git/refs/tags/v3.17.0",
+					"object": {
+					  "sha": "28cfebb84fd6dd9e8773b5efe5ac0f8f3714f228",
+					  "type": "commit",
+					  "url": "https://api.github.com/repos/github/super-linter/git/commits/28cfebb84fd6dd9e8773b5efe5ac0f8f3714f228"
+					}
+				  },
+				  {
+					"ref": "refs/tags/v3.17.1",
+					"node_id": "MDM6UmVmMjE2NTgxNTY3OnJlZnMvdGFncy92My4xNy4x",
+					"url": "https://api.github.com/repos/github/super-linter/git/refs/tags/v3.17.1",
+					"object": {
+					  "sha": "34b2f8032d759425f6b42ea2e52231b33ae05401",
+					  "type": "commit",
+					  "url": "https://api.github.com/repos/github/super-linter/git/commits/34b2f8032d759425f6b42ea2e52231b33ae05401"
+					}
+				  }
+			  ]`),
+	)
+
 	tests := []struct {
 		fileName              string
 		wantPinnedActions     bool

diff --git a/testfiles/pinactions/output/basic.yml b/testfiles/pinactions/output/basic.yml
@@ -10,7 +10,7 @@ jobs:
 
     steps:
     - name: Close Issue
-      uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe
+      uses: peter-evans/close-issue@a700eac5bf2a1c7a8cb6da0c13f93ed96fd53dbe # v1.0.3
       with:
        issue-number: 1
        comment: Auto-closing issue
diff --git a/testfiles/pinactions/output/branch.yml b/testfiles/pinactions/output/branch.yml
@@ -4,9 +4,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
     - name: Publish to Registry
-      uses: elgohr/Publish-Docker-Github-Action@8217e91c0369a5342a4ef2d612de87492410a666
+      uses: elgohr/Publish-Docker-Github-Action@8217e91c0369a5342a4ef2d612de87492410a666 # master
       with:
         name: docker.pkg.github.com/elgohr/publish-docker-github-action/publish-docker-github-action
         username: ${{ github.actor }}
@@ -15,8 +15,8 @@ jobs:
   build1:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089
-    - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9
+    - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master
+    - uses: borales/actions-yarn@4965e1a0f0ae9c422a9a5748ebd1fb5e097d22b9 # v2.3.0
       with:
         auth-token: ${{ secrets.GITHUB_TOKEN }}
         registry-url: npm.pkg.github.com
diff --git a/testfiles/pinactions/output/dockeraction.yml b/testfiles/pinactions/output/dockeraction.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
+      uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
     - name: Integration test
       uses: docker://ghcr.io/step-security/integration-test/int:latest
       env:

diff --git a/testfiles/pinactions/output/localaction.yml b/testfiles/pinactions/output/localaction.yml
@@ -11,10 +11,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e
+      - uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
         with:
           node-version: 12.x
-      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
+      - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
       - run: npm ci
       - run: npm run build
       - run: npm run format-check
@@ -32,7 +32,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
+        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
 
       # Basic checkout
       - name: Checkout basic
@@ -150,7 +150,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
+        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
 
       # Basic checkout using git
       - name: Checkout basic
@@ -182,7 +182,7 @@ jobs:
     steps:
       # Clone this repo
       - name: Checkout
-        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
+        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9 # v1.2.0
 
       # Basic checkout using git
       - name: Checkout basic