Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
- uses: actions/checkout@v6

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@v4

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

docker/setup-qemu-action@v4 uses a movable tag, so a repointed v4 tag could run attacker-controlled code in the Set up QEMU step and tamper with build artifacts.

More details about this

docker/setup-qemu-action@v4 is pulled by the movable v4 tag, so this workflow will run whatever code the action publisher points that tag to at build time. In this job, that action runs in the Set up QEMU step before docker buildx build, so if v4 were repointed to a malicious commit, the attacker’s code would execute on ubuntu-latest with access to the checked-out repository and the job’s runtime credentials.

A plausible attack looks like this:

  1. An attacker compromises the docker/setup-qemu-action repository or a maintainer account and moves the v4 tag to a new malicious commit.
  2. Your container_builds job resolves uses: docker/setup-qemu-action@v4 to that new commit the next time the workflow runs.
  3. The malicious action runs during Set up QEMU and can read files from the repository already fetched by actions/checkout@v6, inspect environment variables, and modify the runner state before the later Run Buildx step.
  4. It could then tamper with the build inputs or generated ./prebuilds artifacts so the actions/upload-artifact@v7 step publishes attacker-controlled build output.

Because the reference here is @v4 instead of a full 40-character commit SHA, the exact code executed by this step can change without any workflow diff in this repository.

To resolve this comment:

✨ Commit fix suggestion

Suggested change
uses: docker/setup-qemu-action@v4
uses: docker/setup-qemu-action@8ade135a41bc03ea155e62e844d188df1ea18608 # docker/setup-qemu-action v4
View step-by-step instructions
  1. Replace the mutable action reference with a full 40-character commit SHA instead of @v4.
    Change uses: docker/setup-qemu-action@v4 to uses: docker/setup-qemu-action@<full-40-character-commit-sha>.

  2. Get the SHA from the docker/setup-qemu-action repository by opening the v4 release or tag on GitHub and copying the commit hash for the exact revision you want to trust.
    The final value should look like uses: docker/setup-qemu-action@8ade135a41bc03ea155e62e844d188df1ea18608.

  3. Add a short comment next to the pinned reference so future updates are intentional, for example # docker/setup-qemu-action v4.
    Pinning to a commit SHA prevents the action owner from silently changing what runs under the same tag.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by github-actions-mutable-action-tag.

🛟 Help? Slack #semgrep-help or go/semgrep-help.

Resolution Options:

  • Fix the code
  • Reply /fp $reason (if security gap doesn’t exist)
  • Reply /ar $reason (if gap is valid but intentional; add mitigations/monitoring)
  • Reply /other $reason (e.g., test-only)

You can view more details about this finding in the Semgrep AppSec Platform.


- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down
Loading