Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pin cri-o and redhat-actions/push-to-registry #749

Merged
merged 1 commit into from
Dec 6, 2021
Merged

Pin cri-o and redhat-actions/push-to-registry #749

merged 1 commit into from
Dec 6, 2021

Conversation

pjbgf
Copy link
Member

@pjbgf pjbgf commented Dec 3, 2021

What type of PR is this?

/kind cleanup

What this PR does

  • Pins the script used to install CRI-O.
  • Pins GitHub action redhat-actions/push-to-registry to v2.5.

Why we need it:

Pinned dependencies reduce several security risks:

  • They ensure that checking and deployment are all done with the same software, reducing deployment risks, simplifying debugging, and enabling reproducibility.
  • They can help mitigate compromised dependencies from undermining the security of the project (in the case where you've evaluated the pinned dependency, you are confident it's not compromised, and a later version is released that is compromised).
  • They are one way to counter dependency confusion (aka substitution) attacks, in which an application uses multiple feeds to acquire software packages (a "hybrid configuration"), and attackers fool the user into using a malicious package via a feed that was not expected for that package.

More information refer to ossf

Which issue(s) this PR fixes:

Relates to #653

Does this PR have test?

N/A

Special notes for your reviewer:

Once this PR is merged, there is only one valid item dependency to be pinned (as per reported by ossf scorecard), which is the build base image:
https://github.com/kubernetes-sigs/security-profiles-operator/blob/main/Dockerfile#L16

This item will be remediated in the coming weeks.

The ossf scorecard also reported a few items within the vendor folder, but I am treating it as false positive (ossf/scorecard#1095).

Does this PR introduce a user-facing change?

NONE

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. labels Dec 3, 2021
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Dec 3, 2021
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 3, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pjbgf, saschagrunert

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [pjbgf,saschagrunert]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@saschagrunert
Copy link
Member

/test pull-security-profiles-operator-test-e2e

@pjbgf pjbgf closed this Dec 4, 2021
@pjbgf pjbgf reopened this Dec 4, 2021
@codecov-commenter
Copy link

Codecov Report

Merging #749 (d453bff) into main (c1ec914) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #749   +/-   ##
=======================================
  Coverage   54.03%   54.03%           
=======================================
  Files          42       42           
  Lines        4129     4129           
=======================================
  Hits         2231     2231           
  Misses       1831     1831           
  Partials       67       67

@pjbgf
Copy link
Member Author

pjbgf commented Dec 4, 2021

/test pull-security-profiles-operator-test-e2e

2 similar comments
@pjbgf
Copy link
Member Author

pjbgf commented Dec 4, 2021

/test pull-security-profiles-operator-test-e2e

@pjbgf
Copy link
Member Author

pjbgf commented Dec 5, 2021

/test pull-security-profiles-operator-test-e2e

@saschagrunert
Copy link
Member

/test pull-security-profiles-operator-test-e2e

@saschagrunert
Copy link
Member

/test pull-security-profiles-operator-test-e2e

@k8s-ci-robot k8s-ci-robot merged commit a2ee602 into kubernetes-sigs:main Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@cmurphy cmurphy Awaiting requested review from cmurphy

Assignees

@saschagrunert saschagrunert

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pjbgf @k8s-ci-robot @saschagrunert @codecov-commenter