Pinned-Dependencies #4422
-
Getting a code scanning alert in https://github.com/microsoft/MHA: "npmCommand not pinned by hash" The remediations steps don't spell out what "npmCommand not pinned by hash" or how I'm supposed to resolve it. I basically have no idea what I'm supposed to do here. I tried altering the npm command (microsoft/MHA#1338) but that had no effect. This issue looks promising: #2911 but I don't see any evidence of parsing failures - it would be helpful if I could see any logs showing how this alert was generated but I don't know where/how to find those. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
Agreed, the resolution steps aren't clear in the output. In this case, it's looking for RUN cd /app/MHA && npm ci && npm run build --if-present Please double check your Dockerfile still works like this, but the warning in Scorecard should go away ( scorecard --local=/tmp/MHA --checks Pinned-Dependencies --format json --show-details | jq
# omitted ...
"details": [
"Info: 21 out of 21 GitHub-owned GitHubAction dependencies pinned",
"Info: 12 out of 12 third-party GitHubAction dependencies pinned",
"Info: 1 out of 1 containerImage dependencies pinned",
"Info: 1 out of 1 npmCommand dependencies pinned"
],
"score": 10,
"reason": "all dependencies are pinned",
"name": "Pinned-Dependencies", |
Beta Was this translation helpful? Give feedback.
Agreed, the resolution steps aren't clear in the output.
In this case, it's looking for
npm ci
and notnpm i
:RUN cd /app/MHA && npm ci && npm run build --if-present
Please double check your Dockerfile still works like this, but the warning in Scorecard should go away (
--local
lets you point Scorecard at local files so you don't need to merge and test):