Skip to content

BUG: Pinned-Dependency for downloadThenRun finding when GitHub Raw Commit Hash Used #4733

New issue
New issue
Open
#4736
Open
BUG: Pinned-Dependency for downloadThenRun finding when GitHub Raw Commit Hash Used#4733
#4736
Labels
kind/bugSomething isn't working
@scottschreckengaust

Description

@scottschreckengaust
scottschreckengaust
opened on Jul 30, 2025

Describe the bug
With #3694 merged, a GitHub pinned hash should not be marked as an unpinned dependency.

Reproduction steps
Steps to reproduce the behavior:

  1. Create a Dockerfile in an empty directory (this example is for rustup)
FROM public.ecr.aws/docker/library/python:3.13.5-alpine3.21@sha256:c9a09c45a4bcc618c7f7128585b8dd0d41d0c31a8a107db4c8255ffe0b69375d

# Install system dependencies and Python package manager
RUN apk update && \
    apk add --no-cache --virtual .build-deps \
    build-base \
    gcc \
    musl-dev \
    libffi-dev \
    openssl-dev \
    curl

# Install Rust and Cargo with a newer version that supports edition2024
RUN curl --proto '=https' --tlsv1.2 -sSf 'https://raw.githubusercontent.com/rust-lang/rustup/f7935a8ad24a445629ceedb2cb706a4469e1e5b3/rustup-init.sh' | sh -s -- -v -y --default-toolchain nightly-2025-07-30 && \
    . $HOME/.cargo/env && \
    rustup default nightly-2025-07-30
  1. Run
docker run -it --rm --env GITHUB_AUTH_TOKEN="$GITHUB_AUTH_TOKEN" -v `pwd`:`pwd` -w `pwd` --privileged gcr.io/openssf/scorecard:stable --checks "Pinned-Dependencies" --show-annotations --show-details --verbosity debug --format json --local .`
  1. See the downloadThenRun finding
{
    "date": "2025-07-30T22:17:48Z",
    "repo": {
        "name": "file://.",
        "commit": "unknown"
    },
    "scorecard": {
        "version": "v5.1.1-45-g40bbc9c9",
        "commit": "40bbc9c958aa66327fb026b2136f1951298ca0f8"
    },
    "score": 5.0,
    "checks": [
        {
            "details": [
                "Warn: downloadThenRun not pinned by hash: Dockerfile:14-16",
                "Info:   1 out of   1 containerImage dependencies pinned",
                "Info:   0 out of   1 downloadThenRun dependencies pinned"
            ],
            "score": 5,
            "reason": "dependency not pinned by hash detected -- score normalized to 5",
            "name": "Pinned-Dependencies",
            "documentation": {
                "url": "https://github.com/ossf/scorecard/blob/40bbc9c958aa66327fb026b2136f1951298ca0f8/docs/checks.md#pinned-dependencies",
                "short": "Determines if the project has declared and pinned the dependencies of its build process."
            }
        }
    ],
    "metadata": null
}

Expected behavior
No findings when pinned against the GitHub commit hash.

Additional context
Add any other context about the problem here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Projects

    OpenSSF Scorecard

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions