Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
At Stacklok, we care about helping make security easier for developers. One way we intend to do that is by making it easier to enforce GitHub Actions security recommendations.
When it comes to securing GitHub Actions, we see two key challenges. One is that it’s hard to keep track of which third-party actions are being used, especially as teams start creating repositories. The second is that it’s time-consuming to pin an action to a specific commit SHA, or checksum. Action pinning is a commonly recommended security practice (see examples here and here), and it is proven to be an effective defense against several types of attacks. But asking developers to go and fetch the checksum every time constitutes toil and manual work, and feels like just more overhead on top of developers’ day-to-day work.
Could things be easier?
In an attempt to simplify developers’ lives, we’ve turned to automation!
Frizbee is a simple command line utility that removes the manual work involved with pinning actions to a checksum, and figuring out what actions are being used in your project.
For the former, just doing frizbee ghactions
on the root directory of your repository will parse all of your GitHub Action workflows and replace the needed tags for the commit checksum. (Print the output with the --dry-run
flag to see what Frizbee would change.)
If you’re working on adding CI to a given project, you don’t need to go and fetch the checksum for each and every action referenced in your workflows. Simply use Frizbee!
Frizbee also allows you to do an immediate replacement, which is handy if your project already uses pinned tags. Simply do frizbee ghactions one <action>@<tag>
, and Frizbee will retrieve the pinned action.
Here’s an example:
$ frizbee ghactions one aquasecurity/trivy-action@master
aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
To get an idea of what actions are being used in a given repository, there is also a handy command! Use frizbee ghactions list
and you’ll get a full view of the actions and current references being used for a given project.
In addition to being a handy CLI tool, Frizbee also provides an API, which you can use to automate all of these tasks from a Go project.
We often have to do very similar things for containers. So we added support for them!
It is a best practice to reference containers in Kubernetes manifests via their digest. There are several tools out there that will help you get the digest for an image. And while this is handy, we don’t have an easy way to fix manifests that had already been deployed without manifests in a straightforward manner.
Frizbee can do this! Just use this command:
$ frizbee kubernetes # Or `frizbee` k8s for short
Frizbee will search for manifests referencing images and replace the tags for the proper digest.
It has a way to retrieve only one image at a time via the frizbee containerimage one
sub-command.
Frizbee is open source! We hope that it will help you fix and interact more securely with GitHub Actions in your repository. Here’s the Frizbee repo, if you’re interested in trying it out or contributing: https://github.com/stacklok/frizbee
If you’d like to install it on your machine, here are some handy instructions to do so.
We've started using Frizbee as part of Minder, Stacklok's open source platform to help you apply security policies and best practices across multiple GitHub repos. Stay tuned for a future blog post with details on how we've integrated Frizbee into Minder to help you easily scale this across your environments!
Jakub Hrozek
Staff Software Engineer