Pinned-Dependencies

[stephenegriffin]

Getting a code scanning alert in https://github.com/microsoft/MHA: "npmCommand not pinned by hash"

The remediations steps don't spell out what "npmCommand not pinned by hash" or how I'm supposed to resolve it. I basically have no idea what I'm supposed to do here. I tried altering the npm command (microsoft/MHA#1338) but that had no effect.

This issue looks promising: #2911 but I don't see any evidence of parsing failures - it would be helpful if I could see any logs showing how this alert was generated but I don't know where/how to find those.

[spencerschrock]

The remediations steps don't spell out what "npmCommand not pinned by hash" or how I'm supposed to resolve it. I basically have no idea what I'm supposed to do here

Agreed, the resolution steps aren't clear in the output.

In this case, it's looking for npm ci and not npm i:

RUN cd /app/MHA && npm ci && npm run build --if-present

Please double check your Dockerfile still works like this, but the warning in Scorecard should go away (--local lets you point Scorecard at local files so you don't need to merge and test):

scorecard --local=/tmp/MHA --checks Pinned-Dependencies --format json --show-details | jq

# omitted ...

      "details": [
        "Info:  21 out of  21 GitHub-owned GitHubAction dependencies pinned",
        "Info:  12 out of  12 third-party GitHubAction dependencies pinned",
        "Info:   1 out of   1 containerImage dependencies pinned",
        "Info:   1 out of   1 npmCommand dependencies pinned"
      ],
      "score": 10,
      "reason": "all dependencies are pinned",
      "name": "Pinned-Dependencies",