ratchet
by sethvargo
Ratchet is a CLI tool that secures CI/CD workflows by automating version pinning and updating of upstream dependencies to immutable references.
A tool for securing CI/CD workflows with version pinning.
Primary Use Case
Ratchet is used by DevOps and security engineers to enhance the security and reliability of CI/CD pipelines by replacing mutable version references with fixed, checksummed versions. It automates the tedious process of resolving and maintaining pinned versions for various CI/CD platforms, reducing risks associated with mutable dependencies.
- Automates pinning and unpinning of upstream CI/CD workflow versions
- Supports multiple CI/CD platforms including GitHub Actions, CircleCI, GitLab CI, Google Cloud Build, Harness Drone, and Tekton
- Resolves mutable references to immutable checksummed versions
- Maintains original version constraints as comments for traceability
- Provides commands to pin, unpin, update, and upgrade workflow references
- Distributes as a single static binary, container image, or via package managers
- Focuses on improving security and reliability in DevSecOps pipelines
Installation
- Install via Homebrew: brew install ratchet (community supported, may not be latest)
- Download a single static binary from the releases page
- Use the container image from the container registry
- Install via Nix: nix run 'github:NixOS/nixpkgs/nixpkgs-unstable#ratchet' -- --help (community supported)
- Install via Go: go install github.com/sethvargo/ratchet@latest
- Compile from source (not officially supported)
Usage
>_ ratchet pin workflow.ymlPins all mutable references in the input CI/CD workflow file to immutable versions.
>_ ratchet pin -parser circleci circleci.ymlPins versions in a CircleCI configuration file.
>_ ratchet unpin workflow.ymlRemoves pinned versions from the input workflow file, reverting to original mutable references.
>_ ratchet update workflow.ymlUpdates all pinned versions to the latest matching version constraints.
>_ ratchet upgrade workflow.ymlUpgrades all GitHub Actions references to their latest versions, updating both the ref and ratchet comment.
>_ ratchet pin -out workflow-compiled.yml workflow.ymlPins versions and outputs the result to a different file path.
>_ ratchet unpin -out workflow.yml workflow-compiled.ymlUnpins versions and writes output to a specified file.
>_ ratchet update -parser cloudbuild cloudbuild.ymlUpdates pinned versions in a Google Cloud Build configuration file.
- Integrate Ratchet into CI/CD pipelines to enforce immutable references and prevent supply chain attacks caused by mutable dependencies.
- Use Ratchet to automate compliance with secure software development lifecycle practices by ensuring pinned versions are auditable and traceable.
- Combine Ratchet with vulnerability scanning tools to detect outdated or vulnerable pinned dependencies proactively.
- Leverage Ratchet's multi-platform support to standardize security controls across diverse CI/CD environments.
- In purple team exercises, simulate attacks exploiting mutable dependencies and demonstrate how Ratchet mitigates these risks effectively.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about ratchet. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
earthly
earthly/earthly
Super simple build framework with fast, repeatable builds and an instantly familiar syntax – like Dockerfile and Makefile had a baby.
pull
wei/pull
🤖 Keep your forks up-to-date via automated PRs
jx
jenkins-x/jx
Jenkins X provides automated CI+CD for Kubernetes with Preview Environments on Pull Requests using Cloud Native pipelines from Tekton
zizmor
zizmorcore/zizmor
Static analysis for GitHub Actions
garden
garden-io/garden
Automation for Kubernetes development and testing. Spin up production-like environments for development, testing, and CI on demand. Use the same configuration and workflows at every step of the process. Speed up your builds and test runs via shared result caching
okteto
okteto/okteto
Develop your applications directly in your Kubernetes Cluster