Primary Use Case

Ratchet is used by DevOps and security engineers to enhance the security and reliability of CI/CD pipelines by replacing mutable version references with fixed, checksummed versions. It automates the tedious process of resolving and maintaining pinned versions for various CI/CD platforms, reducing risks associated with mutable dependencies.

Key Features

Automates pinning and unpinning of upstream CI/CD workflow versions

Supports multiple CI/CD platforms including GitHub Actions, CircleCI, GitLab CI, Google Cloud Build, Harness Drone, and Tekton

Resolves mutable references to immutable checksummed versions

Maintains original version constraints as comments for traceability

Provides commands to pin, unpin, update, and upgrade workflow references

Distributes as a single static binary, container image, or via package managers

Focuses on improving security and reliability in DevSecOps pipelines

Insights & Recommendations

The README corresponds to the main development branch and may include unreleased features. The upgrade command only supports GitHub Actions references and does not work with container or Docker-based references. Users should ensure to pin versions to avoid mutable dependencies that pose security risks in CI/CD workflows.

Installation

Install via Homebrew: brew install ratchet (community supported, may not be latest)
Download a single static binary from the releases page
Use the container image from the container registry
Install via Nix: nix run 'github:NixOS/nixpkgs/nixpkgs-unstable#ratchet' -- --help (community supported)
Install via Go: go install github.com/sethvargo/ratchet@latest
Compile from source (not officially supported)

Usage

ratchet pin workflow.yml

Pins all mutable references in the input CI/CD workflow file to immutable versions.

ratchet pin -parser circleci circleci.yml

Pins versions in a CircleCI configuration file.

ratchet unpin workflow.yml

Removes pinned versions from the input workflow file, reverting to original mutable references.

ratchet update workflow.yml

Updates all pinned versions to the latest matching version constraints.

ratchet upgrade workflow.yml

Upgrades all GitHub Actions references to their latest versions, updating both the ref and ratchet comment.

ratchet pin -out workflow-compiled.yml workflow.yml

Pins versions and outputs the result to a different file path.

ratchet unpin -out workflow.yml workflow-compiled.yml

Unpins versions and writes output to a specified file.

ratchet update -parser cloudbuild cloudbuild.yml

Updates pinned versions in a Google Cloud Build configuration file.

Smart Usage Notes

Integrate Ratchet into CI/CD pipelines to enforce immutable references and prevent supply chain attacks caused by mutable dependencies.Use Ratchet to automate compliance with secure software development lifecycle practices by ensuring pinned versions are auditable and traceable.Combine Ratchet with vulnerability scanning tools to detect outdated or vulnerable pinned dependencies proactively.Leverage Ratchet's multi-platform support to standardize security controls across diverse CI/CD environments.In purple team exercises, simulate attacks exploiting mutable dependencies and demonstrate how Ratchet mitigates these risks effectively.

OpenSec Atlas

ratchet

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like