back to article GitHub debuts pedigree check for npm packages via Actions

Developers who use GitHub Actions to build software packages for the npm registry can now add a command flag that will publish details about the code's origin. This feature is intended to further enhance the security of the open source software supply chain, which has become a common target for cyberattacks. GitHub Actions is …

  1. Doctor Syntax Silver badge

    Is there anything in this that prevents anyone who wishes to deliberately plant malware in a repository from adding a --provenance flag? Granted it would be very naughty but anyone deliberately sneaking in malware is already being very naughty so a bit of extra naughtiness isn't going to worry them.

    1. Claptrap314 Silver badge

      I cannot upvote this enough. This does exactly 0 for security.

    2. bdehamer

      It really depends on the attack vector. If our naughty actor is exploiting some leaked/compromised npm credentials (by far the most common way these attacks occur) to publish a malware-laden update, they absolutely can include the --provenance flag . . . however, the generated provenance is going to clearly show that this package was NOT generated from the original source repository. This isn't yet available in the current beta, but the registry will ultimately reject publish requests for packages if it sees that previous versions included a provenance statement but the new version either doesn't have provenance or has a provenance where the source repository is suddenly different.

      An attack on the source repository itself is a whole other class of supply-chain attack that requires different defensive measures (branch protections, 2FA, etc) -- a provenance statement isn't going to do much for you here except maybe lead you back to the commit where the compromised code was initially introduced.

      1. Doctor Syntax Silver badge

        Long Firm Fraud

        What if the original is quite innocuous, possibly useful. Once it's accepted does the author then have the continuing access to convert it into something nasty?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like