Hash-pinning for your OSS dependencies to protect against repojacking and imposter commits.
Pinny currently supports pinning Dockerfiles and Github Actions workflows.
Software supply chain attacks are on the rise, with 742% increase in new-age supply chain attacks from 2019-2022. The use of OSS dependencies opens up organizations to a lot of software supply chain attack vectors like repojacking and dependency confusion. Automated hash-pinning is a practice that helps against such attacks.
OSS images can be referenced by image tags or hashes/digest. Images referenced by tag are mutable. The maintainer could push a new image with the same TAG and all downstream application using that image and TAG could break.
Images referenced by hash are immutable. Even if there is a new image pushed with the same tag, the new image will have a new hash/digest. The previous image can still be referenced by the previous hash.
-
To pin your Github Actions workflows, run the following command in your repository root. This will transform all the workflows in your repository to use pinned versions of the actions.
pinny actions pin
or if you are being rate limited by Github's API
GITHUB_TOKEN=<your_token> pinny actions pin
You can use the
--dry-runflag to see what changes will be made before actually making them.To learn more
pinny actions --help
-
Pinny supports two workflows for pinning of dockerfiles.
-
To pin your Dockerfile, run the following command in your repository root. This will look for file named
Dockerfilein your repository root and will create a new file namedDockerfile.pinnedwith pinned versions of all the base images.pinny docker pin
Use
--inplaceor-iflag to overwrite the original Dockerfile instead of creating a new file.pinny docker pin --inplace
Use
--fileor-fflag to specify a different file name.pinny docker pin --file Dockerfile.dev
-
-
To generate a lock file, run the following command in your repository root. This will look for file named
Dockerfilein your repository root and will create a file namedpinny-lock.jsonwith pinned versions of all the base images.pinny docker lock
Use
--fileor-fflag to specify a different file name.pinny docker lock --file Dockerfile.dev
To learn more
pinny docker lock --help
-
Once you have committed the lock file, you can use the following command in your CI to transform your dockerfiles to use pinned versions of the base images.
pinny docker transform
Use
--fileor-fflag to specify a different file name.pinny docker transform --file Dockerfile.dev
Use
--inplaceor-iflag to overwrite the original Dockerfile instead of creating a new file.pinny docker transform --inplace
This command requires you have a file named pinny-lock.json.
To learn morepinny docker tranform --help
-
-
Get the version from the releases section and run the following command(Replace 0.0.9 with the version you want to use)
docker run -v "$(pwd):/app" -w /app -u $(id -u):$(id -g) ghcr.io/koalalab-inc/pinny:0.0.9 docker digest alpine:3.18
You can alias this command to
pinnyfor ease of usealias pinny='docker run -v "$(pwd):/app" -w /app -u $(id -u):$(id -g) ghcr.io/koalalab-inc/pinny:0.0.9'
-
Get the version from the releases section and run the following command(Replace version, os and arch as per your system)
Following command will download the archive containing binary for MacOS x86_64curl -fsSL https://github.com/koalalab-inc/pinny/releases/download/v0.0.9/pinny_Darwin_x86_64.tar.gz
To download and place the binary in
/usr/local/binrun the following commandcurl -fsSL https://github.com/koalalab-inc/pinny/releases/download/v0.0.9/pinny_Darwin_x86_64.tar.gz | tar -xz -C "/usr/local/bin/" "pinny"
On MacOS, if you get an error like
Cannot Verify That This App is Free from MalwareOrThis app is from an unidentified developer, you can run the following command to allow the binary to runsudo xattr -d com.apple.quarantine /usr/local/bin/pinny