feat(gha): ensure action sources use commit hash

resolves: #7057

Author: bt-macole

checkov/github_actions/checks/job/RevisionHash.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+import re
+from typing import Any
+
+from checkov.common.models.enums import CheckResult
+from checkov.github_actions.checks.base_github_action_check import BaseGithubActionsCheck
+from checkov.yaml_doc.enums import BlockType
+
+# Matches @ followed by a 40-character SHA-1 commit hash with optional trailing comment
+COMMIT_ID_PATTERN = re.compile(r"@[0-9a-f]{40}\s*(#.*)?$")
+
+
+class RevisionHash(BaseGithubActionsCheck):
+    def __init__(self) -> None:
+        name = "Ensure GitHub Action sources use a commit hash"
+        id = "CKV_GHA_8"
+        super().__init__(
+            name=name,
+            id=id,
+            block_type=BlockType.ARRAY,
+            supported_entities=('jobs', 'jobs.*.steps[]')
+        )
+
+    def scan_conf(self, conf: dict[str, Any]) -> tuple[CheckResult, dict[str, Any] | None]:
+        if not isinstance(conf, dict):
+            return CheckResult.UNKNOWN, conf
+        uses = conf.get("uses", None)
+
+        if uses is None or re.search(COMMIT_ID_PATTERN, uses):
+            return CheckResult.PASSED, conf
+
+        return CheckResult.FAILED, conf
+
+
+check = RevisionHash()

tests/github_actions/gha/.github/workflows/revision_hash.yaml

@@ -0,0 +1,32 @@
+name: Checkov
+on:
+  push:
+    branches:
+      - master
+
+permissions: {}
+
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout with master version of action
+        uses: actions/checkout@master
+
+      - name: Checkout with tagged version
+        uses: actions/checkout@v3
+
+      - name: Checkout with hash
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+
+      - name: Checkout with hash and comment on the same line
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Run Checkov action
+        id: checkov
+        # checkov:skip=CKV_GHA_8:Trust our own stuff?
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: terraform/
+          framework: terraform

tests/github_actions/test_runner.py

@@ -301,6 +301,23 @@ def test_runner_on_workflows_dispatch(self):
         assert len(report.skipped_checks) == 0
         assert len(report.parsing_errors) == 0
 
+    def test_runner_revision_hash(self):
+        # given
+        file_path = Path(__file__).parent / "gha/.github/workflows/revision_hash.yaml"
+        file_dir = [str(file_path)]
+        checks = ["CKV_GHA_8"]
+
+        # when
+        report = Runner().run(
+            files=file_dir, runner_filter=RunnerFilter(framework=["github_actions"], checks=checks)
+        )
+
+        # then
+        assert len(report.failed_checks) == 2
+        assert len(report.passed_checks) == 2
+        assert len(report.skipped_checks) == 2
+        assert len(report.parsing_errors) == 0
+
 
 if __name__ == "__main__":
     unittest.main()