Change AWS container version from number to SHA
Problem to solve
In #31167 (closed), we provided a container that can be called using the version number. Calling the container by the version number introduces a vulnerability that can be used as an exploit. We should use the signature (SHA256) instead of the version number to add a layer of security
Intended users
Further details
https://julienrenaux.fr/2019/12/20/github-actions-security-risk/
Proposal
In #31167 (closed), we provided a container that can be called using the version number, as in the example below:
deploy:
stage: deploy
image: gitlab/gitlab-awsclient@1.0
script:
- aws ..."
We need to change this to
deploy:
stage: deploy
image: gitlab/gitlab-awsclient@**SHA256**
script:
- aws ..."
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Links / references
https://lobste.rs/s/7tgnbe/use_github_actions_at_your_own_risk
Edited by Thao Yeager