| Version | Supported |
|---|---|
| 1.x | ✅ |
If you discover a security vulnerability in this project, please report it responsibly.
- Do not open a public GitHub issue for security vulnerabilities
- Use GitHub's private vulnerability reporting to submit a report
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment of your report within 48 hours
- Initial assessment within 7 days
- Target resolution within 90 days for critical vulnerabilities
- Regular updates on the progress of addressing the vulnerability
- Credit in the security advisory (unless you prefer to remain anonymous)
The following are considered security vulnerabilities:
- Malicious code injection in the installation script
- Downloading binaries from untrusted sources
- Unsafe handling of file paths or environment variables
- Issues that could compromise the CI/CD pipeline
Out of scope:
- Vulnerabilities in upstream dependencies (report to the respective project)
- Vulnerabilities in Microsoft.CrmSdk.CoreTools (report to Microsoft)
- Issues requiring physical access or social engineering
Security fixes are announced via:
- GitHub Security Advisories
- Release notes for patched versions
Dependencies are monitored automatically via Dependabot.
This project employs multiple layers of automated security:
| Measure | Description |
|---|---|
| CodeQL | Static analysis for security vulnerabilities |
| OSSF Scorecard | Supply chain security assessment published to OpenSSF |
| Dependency Review | Scans PRs for vulnerable dependencies |
| Hardened Runners | Workflows use step-security/harden-runner with egress blocking |
| Secret Scanning | Detects hardcoded credentials in code |
| Unsafe Pattern Detection | Flags potentially dangerous PowerShell patterns |
| Pinned Actions | All GitHub Actions pinned to full commit SHAs |
| Dependabot | Automated dependency updates |
This action performs the following operations that have security implications:
- Downloads NuGet CLI from
https://dist.nuget.org/win-x86-commandline/latest/nuget.exe - Installs packages from NuGet.org via the official NuGet CLI
- Sets environment variables (
CRM_SDK_PATH) via process scope andGITHUB_ENVfile - Writes files to
$env:LOCALAPPDATA\Programs\
If you have firewall or egress restrictions, allow these endpoints:
| Endpoint | Port | Purpose |
|---|---|---|
dist.nuget.org |
443 | NuGet CLI download |
api.nuget.org |
443 | Package metadata API |
azureedge.net |
443 | NuGet package CDN |
- Pin the action version - Use a tagged release (e.g.,
@v1) rather than@main - Pin the SDK version - Use the
versioninput to install a specific SDK version for reproducibility - Review workflow permissions - Grant only necessary permissions to your workflow
- Verify the SDK path - The action outputs
sdk-pathwhich can be validated in subsequent steps - Use in isolated runners - Consider using ephemeral runners for sensitive pipelines
This action:
- Does not transmit any data to external services (beyond NuGet.org for package download)
- Does not collect or store telemetry
- Does not access or modify files outside the installation directory
- Cleans up downloaded NuGet CLI after installation