Introducing PINNY:
Hash-pining for your OSS dependencies
One of the big problems we see when trying to secure software supply-chains is that it becomes cumbersome for the developers. Security and development teams which often remain at loggerheads need better solutions. CISA’s Secure-by-design principles are a step to solving this logjam and make lives easier for both developers and security teams.
In terms of current software development processes where there are many open-source dependencies not just across code but also in workflow processes through github actions. Using 3rd-party code has it’s own challenges but few of the main threat vectors it exposes companies to is are:
-
Dependency confusion: Publication of malicious packages in public repositories with the same name as internal package names, in an attempt to trick clients into downloading the malicious package rather than the private one.
-
Dependency Hijacking: Obtaining control of the account of a package maintainer on the public repository, in order to upload a new, malicious version of a widely used package, with the intent of compromising unsuspecting clients who pull the latest version of the package
​
​
These two threat vectors can easily be solved by a practice of hash-pining the image/version of the OSS dependency that the code is using. Hash-pining is a recommended security practice and is effective against many common types of attacks.
While many kinds of OSS dependencies have their own package managers, a few common types of dependencies where package managers are not available include dockerfiles, docker-compose-files and Github actions.
Pinny
Pinny automates the process of hash-pinning dependencies in your Dockerfiles and Github workflow files (docker-compose files and Kubernetes manifest support coming soon) making it easier for developers to follow “secure-by-design” principles.
Pinny is open-source, check it out on github. We will soon be adding a video tutorial to help developers understand how easy it to use pinny. Let us know on github what else can we do to improve pinny and help you follow secure-by-design principles.