feat(sec): pinned all versions to sha hashs (#65)

DovnarAlexander · web-flow · commit b362e695e7e0 · 2026-03-26T22:46:15.000+03:00
* changed checkov framework
diff --git a/.github/actions/helm-release-oci/action.yaml b/.github/actions/helm-release-oci/action.yaml
@@ -60,7 +60,7 @@ runs:
   using: composite
   steps:
     - name: Setup Helm
-      uses: azure/setup-helm@v4
+      uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
       with:
         version: v3.18.3
 
@@ -156,7 +156,7 @@ runs:
     # Intentional: version bump commit runs only when chart push is enabled.
     - name: Commit file to branch
       if: ${{ inputs.push_chart == 'true' && inputs.bump_version_in_git == 'true' }}
-      uses: stefanzweifel/git-auto-commit-action@f53a62c26ed5971dd2ed8768e4142f08c767ea37
+      uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7
       with:
         branch: ${{ inputs.bump_version_git_branch != '' && inputs.bump_version_git_branch || github.ref_name }}
         commit_message: "Helm bumped up version and appVersion [skip ci]"
diff --git a/.github/workflows/actionlint-test.yaml b/.github/workflows/actionlint-test.yaml
@@ -12,7 +12,7 @@ jobs:
     name: Invalid fixtures fail
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Prepare invalid workflow fixture
         shell: bash
@@ -24,7 +24,7 @@ jobs:
       - name: Run actionlint on invalid workflow fixture
         id: invalid-workflow-lint
         continue-on-error: true
-        uses: devops-actions/actionlint@fff09c1c1b540ae616ebbc7e5d49de02b44f9cbb
+        uses: devops-actions/actionlint@469810fd82c015d3c43815cd2b0e4d02eecc4819 # v0.1.11
 
       - name: Assert workflow lint failed
         if: ${{ steps.invalid-workflow-lint.outcome == 'success' }}
@@ -43,7 +43,7 @@ jobs:
       - name: Run composite action lint on invalid fixture
         id: composite-action-lint
         continue-on-error: true
-        uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d
+        uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d # master
         with:
           actions: .github/actions/*/action.yaml
 
diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml
@@ -16,11 +16,11 @@ jobs:
     name: Lint workflows and local actions
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run actionlint with reviewdog
         if: ${{ github.event_name == 'pull_request' }}
-        uses: reviewdog/action-actionlint@d39025c0fb1cc41ac827852403ea94804b0e6907
+        uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1
         with:
           reporter: github-pr-check
           fail_level: any
@@ -29,10 +29,10 @@ jobs:
 
       - name: Run actionlint on workflows
         if: ${{ github.event_name == 'push' }}
-        uses: devops-actions/actionlint@fff09c1c1b540ae616ebbc7e5d49de02b44f9cbb
+        uses: devops-actions/actionlint@469810fd82c015d3c43815cd2b0e4d02eecc4819 # v0.1.11
 
       - name: Validate local actions
         if: ${{ always() }}
-        uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d
+        uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d # master
         with:
           actions: .github/actions/*/action.y*ml
diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml
@@ -19,19 +19,19 @@ jobs:
     runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }}
     steps:
       - name: Generate GitHub App token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         id: app-token
         with:
           app-id: ${{ secrets.GITHUB_APP_ID }}
           private-key: ${{ secrets.GITHUB_APP_KEY }}
       - name: Bump version and push tag
         id: tag_version
-        uses: mathieudutour/github-tag-action@d745f2e74aaf1ee82e747b181f7a0967978abee0
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2
         with:
           github_token: ${{ steps.app-token.outputs.token }}
 
       - name: Create a GitHub release
-        uses: ncipollo/release-action@d82d180c1d8147d23544f9d2610bf8a1941af66e
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
         with:
           tag: ${{ steps.tag_version.outputs.new_tag }}
           name: Release ${{ steps.tag_version.outputs.new_tag }}
diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml
@@ -145,14 +145,14 @@ jobs:
       scan_artifact_name: docker-build-trivy-scan-report
       sbom_artifact_name: docker-build-cyclonedx-sbom
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
       # Auth
       ## AWS
-      - uses: aws-actions/configure-aws-credentials@v6
+      - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
         if: inputs.DOCKER_PUSH && inputs.AWS_REGION != ''
         with:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
@@ -161,26 +161,26 @@ jobs:
       - name: Login to Amazon ECR
         if: inputs.DOCKER_PUSH && inputs.AWS_REGION != ''
         id: ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2
       ## GHCR
       - name: Login to GitHub Container Registry
         if: inputs.DOCKER_PUSH && inputs.REGISTRY == 'ghcr.io' && inputs.AWS_REGION == ''
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ inputs.USERNAME != '' && inputs.USERNAME || github.actor }}
           password: ${{ secrets.TOKEN }}
       ## Other
       - name: Login to registry (using username and token)
         if: inputs.DOCKER_PUSH && inputs.REGISTRY != '' && inputs.REGISTRY != 'ghcr.io' && inputs.USERNAME != ''
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ inputs.REGISTRY }}
           username: ${{ inputs.USERNAME }}
           password: ${{ secrets.TOKEN }}
       - name: Prepare Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
         with:
           images: ${{ inputs.AWS_REGION != '' && steps.ecr.outputs.registry || inputs.REGISTRY }}/${{ inputs.IMAGE != '' && inputs.IMAGE || github.repository }}
           flavor: |
@@ -215,7 +215,7 @@ jobs:
             ${{ inputs.CUSTOM_TAGS }}
       - name: Build and push
         id: build_push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           platforms: ${{ inputs.DOCKER_PLATFORMS }}
           context: ${{ inputs.DOCKER_CONTEXT }}
@@ -233,7 +233,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         id: security_scan
         if: ${{ inputs.SECURITY_SCAN_ENABLED && inputs.DOCKER_PUSH }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         env:
           TRIVY_EXIT_ON_EOL: "1"
         with:
@@ -246,7 +246,7 @@ jobs:
           severity: "${{ inputs.SECURITY_SCAN_SEVERITY }}"
       - name: Generate SBOM (CycloneDX)
         if: ${{ always() && inputs.SBOM_ENABLED && inputs.DOCKER_PUSH }}
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           image-ref: "${{ fromJSON(steps.meta.outputs.json).tags[0] }}"
           hide-progress: true
@@ -269,13 +269,13 @@ jobs:
           fi
       - name: Upload scan report artifact
         if: ${{ always() && inputs.SECURITY_SCAN_ENABLED && inputs.DOCKER_PUSH && hashFiles('scan-report.txt') != '' }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: docker-build-trivy-scan-report
           path: scan-report.txt
       - name: Upload SBOM artifact
         if: ${{ always() && inputs.SBOM_ENABLED && inputs.DOCKER_PUSH && hashFiles('sbom.json') != '' }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: docker-build-cyclonedx-sbom
           path: sbom.json
@@ -296,7 +296,7 @@ jobs:
       - name: Send Slack notification
         if: ${{ always() && steps.check_slack_webhook.outputs.has_webhook == 'true' && (job.status != 'success' || inputs.SLACK_NOTIFY_ON_SUCCESS) }}
         continue-on-error: true
-        uses: slackapi/slack-github-action@fd998911a4a39ce77c6ae6221df1f58471594105
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK }}
           webhook-type: incoming-webhook
diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml
@@ -28,13 +28,13 @@ jobs:
       security_trivy: ${{ steps.filter.outputs.security_trivy }}
       framework: ${{ steps.filter.outputs.framework }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 
       - name: Match changed components
         id: filter
-        uses: dorny/paths-filter@61f87a10cd2c304679af17bb73ef192addf33c1c
+        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4
         with:
           list-files: shell
           filters: |
diff --git a/.github/workflows/helm-release-ecr.yaml b/.github/workflows/helm-release-ecr.yaml
@@ -98,13 +98,13 @@ jobs:
     steps:
       - name: Generate GitHub App token
         if: ${{ inputs.push_chart && inputs.bump_version_in_git }}
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         id: app-token
         with:
           app-id: ${{ secrets.GITHUB_APP_ID }}
           private-key: ${{ secrets.GITHUB_APP_KEY }}
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }}
           fetch-depth: 0
@@ -122,15 +122,15 @@ jobs:
 
       - name: Configure AWS credentials (OIDC)
         if: ${{ inputs.push_chart }}
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
         with:
           role-to-assume: ${{ inputs.aws_role_to_assume }}
           aws-region: ${{ inputs.aws_region }}
 
       - name: Login to Amazon ECR
         if: ${{ inputs.push_chart }}
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2
 
       - name: Run OCI core
         id: core
diff --git a/.github/workflows/helm-release-gar.yaml b/.github/workflows/helm-release-gar.yaml
@@ -98,13 +98,13 @@ jobs:
     steps:
       - name: Generate GitHub App token
         if: ${{ inputs.push_chart && inputs.bump_version_in_git }}
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         id: app-token
         with:
           app-id: ${{ secrets.GITHUB_APP_ID }}
           private-key: ${{ secrets.GITHUB_APP_KEY }}
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }}
           fetch-depth: 0
@@ -123,15 +123,15 @@ jobs:
       - name: Authenticate to Google Cloud
         id: gcp_auth
         if: ${{ inputs.push_chart }}
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           token_format: access_token
           workload_identity_provider: ${{ inputs.gcp_workload_identity_provider }}
           service_account: ${{ inputs.gcp_service_account }}
 
       - name: Login to GAR
         if: ${{ inputs.push_chart }}
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
         with:
           registry: ${{ inputs.gar_registry }}
           username: oauth2accesstoken
diff --git a/.github/workflows/helm-release-github.yaml b/.github/workflows/helm-release-github.yaml
@@ -92,20 +92,20 @@ jobs:
     steps:
       - name: Generate GitHub App token
         if: ${{ inputs.push_chart && inputs.bump_version_in_git }}
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2
         id: app-token
         with:
           app-id: ${{ secrets.GITHUB_APP_ID }}
           private-key: ${{ secrets.GITHUB_APP_KEY }}
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }}
           fetch-depth: 0
 
       - name: Login to GitHub Registry
         if: ${{ inputs.push_chart }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ inputs.ghcr_registry }}
           username: ${{ github.actor }}
diff --git a/.github/workflows/helm-release-oci-test.yaml b/.github/workflows/helm-release-oci-test.yaml
@@ -13,7 +13,7 @@ jobs:
     name: Case - OCI core action succeeds
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Run OCI core action
         id: core
         uses: ./.github/actions/helm-release-oci
diff --git a/.github/workflows/security-checkov-test.yaml b/.github/workflows/security-checkov-test.yaml
@@ -6,9 +6,12 @@ on:
 
 jobs:
   case_soft_fail_success:
+    strategy:
+      matrix:
+        framework: [terraform, kubernetes, helm]
     name: Case - soft fail succeeds
     uses: ./.github/workflows/security-checkov.yaml
     with:
       directory: fixtures/security-checkov
-      framework: terraform,kubernetes,helm
+      framework: ${{ matrix.framework }}
       soft_fail: true
diff --git a/.github/workflows/security-checkov.yaml b/.github/workflows/security-checkov.yaml
@@ -9,10 +9,10 @@ on:
         type: string
         default: .
       framework:
-        description: Checkov frameworks (comma separated list)
+        description: Checkov framework
         required: false
         type: string
-        default: terraform,kubernetes,helm
+        default: all
       soft_fail:
         description: Do not fail the workflow on findings
         required: false
@@ -39,15 +39,15 @@ permissions:
 
 jobs:
   checkov:
-    name: Checkov IaC Scan
+    name: Checkov Scan (${{ inputs.framework }})
     runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }}
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Checkov
-        uses: bridgecrewio/checkov-action@dae50a5e9eb93ac7dc96b2aea92a185131103539
+        uses: bridgecrewio/checkov-action@8c07e78c64ddc2209d8c193a4e321aad67677f8d # v12
         with:
           directory: ${{ inputs.directory }}
           framework: ${{ inputs.framework }}
diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml
@@ -31,16 +31,16 @@ jobs:
     name: Analyze (${{ inputs.language }})
     runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
         with:
           languages: ${{ inputs.language }}
           queries: security-extended
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
 
       - name: Analyze
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4
diff --git a/.github/workflows/security-dependency-review.yml b/.github/workflows/security-dependency-review.yml
@@ -19,9 +19,9 @@ jobs:
     runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Dependency Review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4
         with:
           fail-on-severity: high
diff --git a/.github/workflows/security-gitleaks.yml b/.github/workflows/security-gitleaks.yml
diff --git a/.github/workflows/security-scan-test.yml b/.github/workflows/security-scan-test.yml
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
diff --git a/.github/workflows/security-trivy.yml b/.github/workflows/security-trivy.yml
