SecDim’s Defensive Programming challenge

An action retrieved from a third-party GitHub repository should be pinned to a full-length commit SHA. Currently, the only way to ensure an action remains immutable is by pinning it to a specific commit SHA. This approach reduces the risk of malicious actors introducing backdoors into the action’s repository since doing so would require generating a SHA-1 collision for a legitimate Git object payload.

Objective

Find the security weakness in GitHub workflow and effectively fix it.

Usage

1. Create a new empty GitHub repository.

2. Clone it locally

3. Copy this repository files to the new Github repository.

4. Ensure to include .github/ directory.

5. Commit and push the changes to the master branch.

6. Go to the Actions tab in the repository to monitor the workflow run.

Tip	You can install and run act to run Github Actions locally on your workstation.

• Install act

• make run to run the Github workflow locally

• make push to git add, commit and push

• make status to retrieve test output from the server

Push you code to the SecDim remote repository. Go to the challenge tab. Security tests will run against your code. If tests pass you will get the challenge score.

Important notes

1. Push only to master branch.

2. Usability tests must always pass.

3. All tests will be overwritten on the server.

4. Security tests are not given in your repository.

Troubleshooting

Ask your question on SecDim Discuss