# frizbee (CLI) **frizbee pins your mutable tags to immutable digests, so a CI/CD pipeline can't be hijacked by someone reassigning `v1` or `latest` to malicious content.** A Go CLI and library from Stacklok. Apache 2.0. The risk it closes: tags are mutable. `actions/checkout@v4` or `node:20` can be repointed at any time, which is a classic software-supply-chain attack vector. frizbee rewrites those references to content-addressable digests (`@sha256:...`), making builds reproducible and verified. ## What it pins - **[[GitHub Actions]].** Rewrites `uses:` references to digest-pinned versions. - **Container images.** Resolves image tags across YAML, Dockerfiles, and Kubernetes manifests. ## How it works It parses workflow files and deployment manifests, queries the registry for each tag's digest, and replaces the mutable reference with the pinned equivalent: `action@v1` becomes `action@sha256:abc123...`. ## Using it ```bash go install github.com/stacklok/frizbee@latest # or: brew install frizbee frizbee actions path/to/.github/workflows/ frizbee image path/to/manifests/ frizbee image ghcr.io/stacklok/minder/server:latest ``` - **Batch** over whole directories; **dry-run** to preview. - **CI enforcement.** Non-zero exit on findings, so a pipeline can fail the build. - **Exclusions.** A `.frizbee.yml` skips branches (`main`, `master` by default) and specific images/tags. - Also ships as a GitHub Action and an importable Go library. ## References - https://github.com/stacklok/frizbee ## Related - [[Software Supply Chain Security]] - [[DevSecOps]] - [[GitHub Actions]] - [[Docker]]