supply chain improvement on dockerfile

[venkatamutyala]

Suggestion

i believe with the current approach everyone gets the latest version of the docker image even if they are pinned on a specific version of your GitHub action. i think pinning to a sha would help reduce a supply chain attack

terraform-github-actions/image/Dockerfile

Line 2 in 9f9ebf0

FROM danielflook/terraform-github-actions-base:latest

[dflook]

Hi @venkatamutyala, thanks for raising a really important question.

The image for each release is pinned to a specific image which you can see in the action.yaml for each repo

e.g.

  image: docker://danielflook/terraform-github-actions@sha256:5d8cfe89eb83d6527ad4fe2c48462241d1f17e4d71ca6446806b857cff08f9cf

The image also has an version tag that won't change, but we use the digest as I don't think the immutability of the tag can be guaranteed.

This container image also has provenance baked in, and attested to come from the release job in this repo. This can be verified.

So if you use the release version of the actions pinned to a git sha, e.g.

        uses: dflook/terraform-plan@7878bff63e2099cdc9be9a6f33cbbbf687f8f0fe  # v2.2.3

the you will get a fully immutable action. The full version tag v2.2.3 is also an immutable release on GitHub should you wish to use that, but using the sha is a good practice.

Partial versions like v2 and v2.2 are mutable, and are for convenience only. I would suggest using at least the full version as a good practice.

---

You are right that the Dockerfile pulls a mutable latest tag for the base image, but the release workflow verifies the attestation so we know where it came from, and re-writes the Dockerfile so we explicitly use that specific image digest.

If the latest tag was replaced with a compromised image, it would be rejected and no release could happen.

The base image 'latest' tag gets updated at least once a week, or when there are changes to the base Dockerfile - but it does not affect already released versions.

The release image contains the provenance information for the base image, which is also attested and verified before it is used so from a release image you can also trace back which git sha and github actions job built the base image. The base image is also tagged with the release version that used it for convenience.

There are some improvements for supply chain security going into the next release, focused on pinning of dependencies that go into the final image. But once released the images are already totally immutable.

I hope this addresses your concern, I will try to write this up in more detail at some point

[venkatamutyala]

Awesome! Thank you for taking the time to explain what is there and how i'm already protected.

Have you seen / enabled this by chance on the container images themselves? https://docs.docker.com/docker-hub/repos/manage/hub-images/immutable-tags/

[dflook]

I've just checked the repo settings and immutable tags are already turned on for the release images, but that doesn't seem to be shown anywhere on dockerhub. The released actions pin by digest instead of tag so are immutable anyway.

The base image didn't have immutable tags enabled at all, so i've changed it to be partially enabled - release version tags and all regular build tags are now immutable. This leaves the 'latest' tag mutable, but it is verified before use.

[dflook]

After poking around it actually does show it on the tags page: "Tags cannot be overwritten in this Repository."