Skip to content

fix(ci): pin tj-actions/changed-files to SHA and bump Node to 20#56

Merged
kaleko merged 1 commit intomainfrom
fix/workflow-security-hardening
Mar 11, 2026
Merged

fix(ci): pin tj-actions/changed-files to SHA and bump Node to 20#56
kaleko merged 1 commit intomainfrom
fix/workflow-security-hardening

Conversation

@harshitkgupta
Copy link

@harshitkgupta harshitkgupta commented Mar 10, 2026
edited
Loading

Summary

  • Pin tj-actions/changed-files to commit SHA (ed68ef82c095e0d48ec87eccea555d944a631a4c) in 3 workflows (js-lint, python-lint, ash-security-scan) to prevent supply chain attacks if the v46 tag is moved
  • Bump Node.js from 18 to 20 in js-lint.yml — Node 18 reached EOL in April 2025

Test plan

  • Verify js-lint workflow runs successfully on a PR with JS/TS changes
  • Verify python-lint workflow runs successfully on a PR with Python changes
  • Verify ash-security-scan workflow runs successfully on a PR with relevant file changes

🤖 Generated with Claude Code

@claude
fix(ci): pin tj-actions/changed-files to SHA and bump Node to 20
12d1236 
Pin tj-actions/changed-files from v46 tag to commit SHA to prevent
supply chain attacks. Bump Node.js from EOL 18 to 20 in js-lint workflow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@harshitkgupta harshitkgupta requested a review from a team March 10, 2026 20:05
@github-actions github-actions bot added the ci label Mar 10, 2026
@github-actions
Copy link

github-actions bot commented Mar 10, 2026

Latest scan for commit: 12d1236 | Updated: 2026-03-10 20:09:55 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-03-10T20:09:38+00:00
  • ASH version: 3.2.2

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 0 0 0 0 0 480ms 0 PASSED MED (g)
cdk-nag 0 0 0 0 0 0 36.0s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 31ms 0 PASSED MED (g)
checkov 0 0 0 0 0 0 5.2s 0 PASSED MED (g)
detect-secrets 0 0 0 0 0 0 251ms 0 PASSED MED (g)
grype 0 6 0 0 0 0 38.7s 6 FAILED MED (g)
npm-audit 0 0 0 0 0 0 495ms 0 PASSED MED (g)
opengrep 0 0 0 0 0 0 22.3s 0 PASSED MED (g)
semgrep 0 0 0 0 0 0 16.2s 0 PASSED MED (g)
syft 0 0 0 0 0 0 1.7s 0 PASSED MED (g)

Detailed Findings

Show 6 actionable findings

Finding 1: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
  • Location: .github/workflows/ash-security-scan.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/ash-security-scan.yml

Finding 2: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
  • Location: .github/workflows/js-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml

Finding 3: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
  • Location: .github/workflows/python-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml

Finding 4: GHSA-mcph-m25j-8j63-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
  • Location: .github/workflows/ash-security-scan.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/ash-security-scan.yml

Finding 5: GHSA-mcph-m25j-8j63-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
  • Location: .github/workflows/js-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml

Finding 6: GHSA-mcph-m25j-8j63-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
  • Location: .github/workflows/python-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml

Report generated by Automated Security Helper (ASH) at 2026-03-10T20:09:32+00:00

@kaleko kaleko merged commit c70b147 into main Mar 11, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kaleko kaleko kaleko approved these changes

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@harshitkgupta @kaleko