{"id":37163295,"url":"https://github.com/koalalab-inc/pinny","last_synced_at":"2026-01-14T19:25:14.612Z","repository":{"id":210350158,"uuid":"717341764","full_name":"koalalab-inc/pinny","owner":"koalalab-inc","description":"Pin your 3rd Party Github Actions and Docker Images dependencies.","archived":false,"fork":false,"pushed_at":"2025-03-15T06:31:43.000Z","size":1101,"stargazers_count":15,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-15T07:26:22.919Z","etag":null,"topics":["cicd","dependency-security","docker-security","github-actions","security-tools","supply-chain-security"],"latest_commit_sha":null,"homepage":"https://www.koalalab.com/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/koalalab-inc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-11T07:00:26.000Z","updated_at":"2025-03-15T06:31:47.000Z","dependencies_parsed_at":"2024-01-18T14:39:47.679Z","dependency_job_id":"183491bc-6fbc-4fdb-a899-68b1396e011e","html_url":"https://github.com/koalalab-inc/pinny","commit_stats":null,"previous_names":["koalalab-inc/pinny"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/koalalab-inc/pinny","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fpinny","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fpinny/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fpinny/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fpinny/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/koalalab-inc","download_url":"https://codeload.github.com/koalalab-inc/pinny/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/koalalab-inc%2Fpinny/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28432592,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-14T18:57:19.464Z","status":"ssl_error","status_checked_at":"2026-01-14T18:52:48.501Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cicd","dependency-security","docker-security","github-actions","security-tools","supply-chain-security"],"created_at":"2026-01-14T19:25:13.964Z","updated_at":"2026-01-14T19:25:14.586Z","avatar_url":"https://github.com/koalalab-inc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![Pinny](assets/imgs/pinny-header-light-1.png#gh-light-mode-only)\n![Pinny](assets/imgs/pinny-header-dark.png#gh-dark-mode-only)\n# Pinny\n\nHash-pinning for your OSS dependencies to protect against [repojacking](https://github.com/koalalab-inc/pinny/blob/main/docs/Secure-by-design-OSS.md) and [imposter commits](https://github.com/koalalab-inc/pinny/blob/main/docs/impostorcommits.md).\n\nPinny currently supports pinning Dockerfiles and Github Actions workflows.\n\n# Why\n\nSoftware supply chain attacks are on the rise, with [742% increase in new-age supply chain attacks from 2019-2022](https://linuxfoundation.eu/newsroom/the-rising-threat-of-software-supply-chain-attacks-managing-dependencies-of-open-source-projects).\nThe use of OSS dependencies opens up organizations to a lot of software supply chain attack vectors like [repojacking and dependency confusion](https://github.com/koalalab-inc/pinny/blob/main/docs/Secure-by-design-OSS.md). Automated hash-pinning is a practice that helps against such attacks.\n\n### Hash-Pinning:\n\nOSS images can be referenced by image tags or hashes/digest. \nImages referenced by tag are mutable. The maintainer could push a new image with the same TAG and all downstream application using that image and TAG could break.\n\nImages referenced by hash are immutable. Even if there is a new image pushed with the same tag, the new image will have a new hash/digest. The previous image can still be referenced by the previous hash.\n\n\u003chr /\u003e\n\n# Contents\n* [Example](#example)\n    * [Pinning Github Actions workflows](#pinning-github-actions-workflows)\n    * [Pinning Dockerfiles](#pinning-dockerfiles)\n* [Usage](#usage)\n    * [Github Actions](#github-actions)\n    * [Dockerfiles](#dockerfiles)\n* [Installation](#installation)\n    * [Docker image](#docker-image)\n    * [Precompiled binary](#precompiled-binary)\n\n## Example:\n* #### Pinning Github Actions workflows\n    ![actions-pin-before-after.png](assets/imgs/actions-pin-before-after.png)\n* ##### Sample run on the Github workflows of Akto Github repository\n    ![actions-pin.gif](assets/gifs/actions-pin.gif)\n\n* #### Pinning Dockerfiles\n    ![docker-pin-before-after.png](assets/imgs/docker-pin-before-after.png)\n* ##### Sample run on the Dockerfile of Metabase Github repository\n    ![docker-pin.gif](assets/gifs/docker-pin.gif)\n\n## Usage:\n* #### Github Actions\n    To pin your Github Actions workflows, run the following command in your repository root. This will transform all the workflows in your repository to use pinned versions of the actions. \n    ```bash\n    pinny actions pin\n    ```\n    or if you are being rate limited by Github's API\n    ```bash\n    GITHUB_TOKEN=\u003cyour_token\u003e pinny actions pin\n    ```\n    You can use the `--dry-run` flag to see what changes will be made before actually making them.\n\n    To learn more\n    ```bash\n    pinny actions --help\n    ```\n\n* #### Dockerfiles\n    Pinny supports two workflows for pinning of dockerfiles.\n1. ##### Pinning your files locally before you commit them\n    To pin your Dockerfile, run the following command in your repository root. This will look for file named `Dockerfile` in your repository root and will create a new file named `Dockerfile.pinned` with pinned versions of all the base images.\n    ```bash\n    pinny docker pin\n    ```\n    Use `--inplace` or `-i` flag to overwrite the original Dockerfile instead of creating a new file.\n    ```bash\n    pinny docker pin --inplace\n    ```\n    Use `--file` or `-f` flag to specify a different file name.\n    ```bash\n    pinny docker pin --file Dockerfile.dev\n    ```\n\n1. ##### Generate and commit a lock file and pin your dockerfiles in CI\n    * ###### Generate a lock file\n        To generate a lock file, run the following command in your repository root. This will look for file named `Dockerfile` in your repository root and will create a file named `pinny-lock.json` with pinned versions of all the base images.\n        ```bash\n        pinny docker lock\n        ```\n        Use `--file` or `-f` flag to specify a different file name.\n        ```bash\n        pinny docker lock --file Dockerfile.dev\n        ``` \n        \n        To learn more\n        ```bash\n        pinny docker lock --help\n        ```\n    * ###### Tranform your dockerfiles in CI\n        Once you have committed the lock file, you can use the following command in your CI to transform your dockerfiles to use pinned versions of the base images.\n        ```bash\n        pinny docker transform\n        ```\n        Use `--file` or `-f` flag to specify a different file name.\n        ```bash\n        pinny docker transform --file Dockerfile.dev\n        ```\n        Use `--inplace` or `-i` flag to overwrite the original Dockerfile instead of creating a new file.\n        ```bash\n        pinny docker transform --inplace\n        ```\n        `This command requires you have a file named pinny-lock.json.`\u003cbr/\u003e\n        To learn more\n        ```bash\n        pinny docker tranform --help\n        ```\n\n## Installation:\n* #### Docker image\n    Get the version from the releases section and run the following command(Replace 0.0.9 with the version you want to use)\n    ```bash\n    docker run -v \"$(pwd):/app\" -w /app -u $(id -u):$(id -g) ghcr.io/koalalab-inc/pinny:0.0.9 docker digest alpine:3.18\n    ```\n    You can alias this command to `pinny` for ease of use\n    ```bash\n    alias pinny='docker run -v \"$(pwd):/app\" -w /app -u $(id -u):$(id -g) ghcr.io/koalalab-inc/pinny:0.0.9'\n    ```\n* #### Precompiled binary\n    Get the version from the releases section and run the following command(Replace version, os and arch as per your system)\u003cbr /\u003e\n    Following command will download the archive containing binary for MacOS x86_64\n    ```bash\n    curl -fsSL https://github.com/koalalab-inc/pinny/releases/download/v0.0.9/pinny_Darwin_x86_64.tar.gz \n    ```\n\n    To download and place the binary in `/usr/local/bin` run the following command\n    ```bash\n    curl -fsSL https://github.com/koalalab-inc/pinny/releases/download/v0.0.9/pinny_Darwin_x86_64.tar.gz | tar -xz -C \"/usr/local/bin/\" \"pinny\"\n    ```\n\n    On MacOS, if you get an error like `Cannot Verify That This App is Free from Malware` Or `This app is from an unidentified developer`, you can run the following command to allow the binary to run\n    ```bash\n    sudo xattr -d com.apple.quarantine /usr/local/bin/pinny\n    ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoalalab-inc%2Fpinny","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkoalalab-inc%2Fpinny","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkoalalab-inc%2Fpinny/lists"}