chore(deps): bump docker/setup-qemu-action from 3 to 4#335
chore(deps): bump docker/setup-qemu-action from 3 to 4#335dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@v3...v4) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| uses: docker/setup-qemu-action@v4 |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
docker/setup-qemu-action@v4 uses a movable tag, so a repointed v4 tag could run attacker-controlled code in the Set up QEMU step and tamper with build artifacts.
More details about this
docker/setup-qemu-action@v4 is pulled by the movable v4 tag, so this workflow will run whatever code the action publisher points that tag to at build time. In this job, that action runs in the Set up QEMU step before docker buildx build, so if v4 were repointed to a malicious commit, the attacker’s code would execute on ubuntu-latest with access to the checked-out repository and the job’s runtime credentials.
A plausible attack looks like this:
- An attacker compromises the
docker/setup-qemu-actionrepository or a maintainer account and moves thev4tag to a new malicious commit. - Your
container_buildsjob resolvesuses: docker/setup-qemu-action@v4to that new commit the next time the workflow runs. - The malicious action runs during
Set up QEMUand can read files from the repository already fetched byactions/checkout@v6, inspect environment variables, and modify the runner state before the laterRun Buildxstep. - It could then tamper with the build inputs or generated
./prebuildsartifacts so theactions/upload-artifact@v7step publishes attacker-controlled build output.
Because the reference here is @v4 instead of a full 40-character commit SHA, the exact code executed by this step can change without any workflow diff in this repository.
To resolve this comment:
✨ Commit fix suggestion
| uses: docker/setup-qemu-action@v4 | |
| uses: docker/setup-qemu-action@8ade135a41bc03ea155e62e844d188df1ea18608 # docker/setup-qemu-action v4 |
View step-by-step instructions
-
Replace the mutable action reference with a full 40-character commit SHA instead of
@v4.
Changeuses: docker/setup-qemu-action@v4touses: docker/setup-qemu-action@<full-40-character-commit-sha>. -
Get the SHA from the
docker/setup-qemu-actionrepository by opening thev4release or tag on GitHub and copying the commit hash for the exact revision you want to trust.
The final value should look likeuses: docker/setup-qemu-action@8ade135a41bc03ea155e62e844d188df1ea18608. -
Add a short comment next to the pinned reference so future updates are intentional, for example
# docker/setup-qemu-action v4.
Pinning to a commit SHA prevents the action owner from silently changing what runs under the same tag.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.
🛟 Help? Slack #semgrep-help or go/semgrep-help.
Resolution Options:
- Fix the code
- Reply
/fp $reason(if security gap doesn’t exist) - Reply
/ar $reason(if gap is valid but intentional; add mitigations/monitoring) - Reply
/other $reason(e.g., test-only)
You can view more details about this finding in the Semgrep AppSec Platform.
Bumps docker/setup-qemu-action from 3 to 4.
Release notes
Sourced from docker/setup-qemu-action's releases.
... (truncated)
Commits
96fe6efMerge pull request #315 from docker/dependabot/npm_and_yarn/docker/actions-to...31f08d3[dependabot skip] chore: update generated content4e7017abuild(deps): bump@docker/actions-toolkitfrom 0.91.0 to 0.92.00eca235Merge pull request #314 from crazy-max/fix-yarn-preapprove-actions-toolkitea66a41chore: allow actions-toolkit to bypass yarn age gate451542bMerge pull request #308 from docker/dependabot/npm_and_yarn/undici-6.27.0532ae00[dependabot skip] chore: update generated contentb6f5af6build(deps): bump undici from 6.26.0 to 6.27.0cf96b86Merge pull request #304 from docker/dependabot/npm_and_yarn/tmp-0.2.7f0ba643[dependabot skip] chore: update generated contentDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)