Adding a rule to detect impostor commits

[bboilot-ledger]

Hello @hugo-syn 👋

I recently came across https://openssf.org/blog/2024/08/12/mitigating-attack-vectors-in-github-workflows/
From a defensive aspect, it would be awesome to be able to detect impostor commit used in github actions using octoscan.

But this is more an indicator of compromise rather than a vulnerability. What do you think about adding this kind of rule?

[hugo-syn]

Hi @bboilot-ledger, what do you imagine ? An alert when a commit is not pinned ? Or an alert if the commit doesn't belong to the main project ?

Did you try their action https://github.com/ossf/scorecard-action ? I think there is a rule for non pinned commits but I don't know if they can detect impostor commit.

Since it's a defensive rule I don't know if I want to add this

[bboilot-ledger]

I imagined an alert if the pinned commit belongs to a fork of the action repository.

There is also https://woodruffw.github.io/zizmor/audits/#impostor-commit that is able to detect impostor commits.

Yes, this is definitely a defensive rule, so out of scope of this tool.

Thanks for your feedback, I guess we can close this issue.

[hugo-syn]

Well after some discussion with a colleague I changed my mind I'll try to implement this rule, I'll update this issue once done