bump to v2025-06-15 #29
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This pull request includes a workflow that fetches an OpenAPI spec from raw.githubusercontent.com using an unpinned, mutable 'main' branch, creating a supply-chain risk where a compromised upstream repo or branch could inject a malicious spec; the workflow also lacks integrity checks (e.g., pinned commit hashes or checksums) to mitigate this. Consider pinning the URL to an immutable commit and/or adding verification to reduce the risk.
Potential Supply Chain Risk from Hardcoded External URL in
|
| Vulnerability | Potential Supply Chain Risk from Hardcoded External URL |
|---|---|
| Description | The workflow configuration hardcodes a URL to fetch an OpenAPI specification from raw.githubusercontent.com using a mutable 'main' branch. This introduces a supply chain risk. If the source repository ('Gusto/Gusto-Partner-API') is compromised, a malicious OpenAPI specification could be injected. This malicious specification could then be used to generate a compromised SDK or lead to incorrect and potentially exploitable API configurations in downstream systems that consume the generated SDK. |
gusto-python-client/.speakeasy/workflow.yaml
Lines 3 to 9 in ef1198c
Potential Supply Chain Risk from Hardcoded External URL in .speakeasy/workflow.yaml
| Vulnerability | Potential Supply Chain Risk from Hardcoded External URL |
|---|---|
| Description | The workflow configuration hardcodes a URL to fetch an OpenAPI specification from raw.githubusercontent.com using a mutable branch reference ('main'). This introduces a supply chain risk. If the 'Gusto/Gusto-Partner-API' repository were compromised, a malicious OpenAPI specification could be injected into the 'main' branch. This malicious specification would then be fetched by the Speakeasy workflow, potentially leading to the generation of a compromised SDK or incorrect/malicious API configurations in downstream systems. The current configuration does not include any integrity checks (like checksums) for the fetched resource, nor does it pin to an immutable commit hash, which would mitigate this risk. |
gusto-python-client/.speakeasy/workflow.yaml
Lines 15 to 21 in ef1198c
All finding details can be found in the DryRun Security Dashboard.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
References the new generated openapi spec file for v2025-06-15