actsense - GitHub Actions Security Auditor

Unpinned Dockerfile Resources

Description

Docker actions with Dockerfiles that download external resources (scripts, binaries, archives) without checksum verification create security risks: downloaded resources can be tampered with, man-in-the-middle attacks can replace resources, and compromised download servers can serve malicious files. Without checksum verification, resource integrity cannot be verified, making builds vulnerable to network attacks and supply-chain compromises. ¹

Vulnerable Instance

Dockerfile downloads external resources (scripts, binaries) without checksum verification.
Downloaded resources can be tampered with or replaced with malicious versions.
No way to verify resource integrity.

FROM alpine:latest
RUN wget https://example.com/script.sh && bash script.sh  # No verification

Mitigation Strategies

Download and verify checksum
Download the resource, verify its SHA256 checksum, and only then use it: RUN wget https://example.com/file.tar.gz && echo "abc123..." file.tar.gz | sha256sum -c - && tar -xzf file.tar.gz.
Use SHA256 checksums
Prefer SHA256 checksums for verification. Store expected checksums in the Dockerfile or a checksums file in the repository.
Store checksums securely
Include checksums in the Dockerfile or use a checksums file in the repository. Verify checksums match expected values before using resources.
Use HTTPS for all downloads
Always use HTTPS for downloads to prevent man-in-the-middle attacks. Verify SSL certificates.
Review all external resource downloads
Audit all Dockerfiles for external resource downloads. Document why each resource is needed and where it comes from.
Prefer repository storage
When possible, store resources in the repository rather than downloading them. This allows version control and code review.

Secure Version

 FROM alpine:latest
-RUN wget https://example.com/script.sh && bash script.sh  # No verification
+RUN wget https://example.com/script.sh && \
+    echo "a1b2c3d4e5f6..." script.sh | sha256sum -c - && \
+    bash script.sh

Impact

Dimension	Severity	Notes
Likelihood		Downloading resources without verification is common, but creates high risk when present.
Risk		Tampered resources can contain backdoors, malicious code, or exfiltrate secrets, enabling system compromise.
Blast radius		Impact depends on what the resource does, but can affect all workflows that use the Docker action.

References

GitHub Docs, “Creating a Docker container action,” https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action ¹

GitHub Docs, “Creating a Docker container action,” https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action ↩︎ ↩︎

Last updated on January 1, 2026

Unpinned Dockerfile Dependencies Unpinned External Resources