From 1782c15d239e5f8cd87e89706fd4be71a32f88fe Mon Sep 17 00:00:00 2001 From: DovnarAlexander <29893487+DovnarAlexander@users.noreply.github.com> Date: Thu, 26 Mar 2026 22:38:50 +0300 Subject: [PATCH] feat(sec): pinned all versions to sha hashs * changed checkov framework --- .github/actions/helm-release-oci/action.yaml | 4 +-- .github/workflows/actionlint-test.yaml | 6 ++-- .github/workflows/actionlint.yaml | 8 +++--- .github/workflows/create-release.yaml | 6 ++-- .github/workflows/docker-build.yaml | 28 +++++++++---------- .github/workflows/functional-tests.yml | 4 +-- .github/workflows/helm-release-ecr.yaml | 8 +++--- .github/workflows/helm-release-gar.yaml | 8 +++--- .github/workflows/helm-release-github.yaml | 6 ++-- .github/workflows/helm-release-oci-test.yaml | 2 +- .github/workflows/security-checkov-test.yaml | 5 +++- .github/workflows/security-checkov.yaml | 10 +++---- .github/workflows/security-codeql.yml | 8 +++--- .../workflows/security-dependency-review.yml | 4 +-- .github/workflows/security-gitleaks.yml | 2 +- .github/workflows/security-scan-test.yml | 6 ++-- .github/workflows/security-scan.yml | 4 +-- .github/workflows/security-trivy.yml | 18 ++++++------ 18 files changed, 70 insertions(+), 67 deletions(-) diff --git a/.github/actions/helm-release-oci/action.yaml b/.github/actions/helm-release-oci/action.yaml index fb35a74..91e5f29 100644 --- a/.github/actions/helm-release-oci/action.yaml +++ b/.github/actions/helm-release-oci/action.yaml @@ -60,7 +60,7 @@ runs: using: composite steps: - name: Setup Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 with: version: v3.18.3 @@ -156,7 +156,7 @@ runs: # Intentional: version bump commit runs only when chart push is enabled. - name: Commit file to branch if: ${{ inputs.push_chart == 'true' && inputs.bump_version_in_git == 'true' }} - uses: stefanzweifel/git-auto-commit-action@f53a62c26ed5971dd2ed8768e4142f08c767ea37 + uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7 with: branch: ${{ inputs.bump_version_git_branch != '' && inputs.bump_version_git_branch || github.ref_name }} commit_message: "Helm bumped up version and appVersion [skip ci]" diff --git a/.github/workflows/actionlint-test.yaml b/.github/workflows/actionlint-test.yaml index 22adc26..4d2d5ba 100644 --- a/.github/workflows/actionlint-test.yaml +++ b/.github/workflows/actionlint-test.yaml @@ -12,7 +12,7 @@ jobs: name: Invalid fixtures fail runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Prepare invalid workflow fixture shell: bash @@ -24,7 +24,7 @@ jobs: - name: Run actionlint on invalid workflow fixture id: invalid-workflow-lint continue-on-error: true - uses: devops-actions/actionlint@fff09c1c1b540ae616ebbc7e5d49de02b44f9cbb + uses: devops-actions/actionlint@469810fd82c015d3c43815cd2b0e4d02eecc4819 # v0.1.11 - name: Assert workflow lint failed if: ${{ steps.invalid-workflow-lint.outcome == 'success' }} @@ -43,7 +43,7 @@ jobs: - name: Run composite action lint on invalid fixture id: composite-action-lint continue-on-error: true - uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d + uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d # master with: actions: .github/actions/*/action.yaml diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 3417b41..40a9578 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -16,11 +16,11 @@ jobs: name: Lint workflows and local actions runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run actionlint with reviewdog if: ${{ github.event_name == 'pull_request' }} - uses: reviewdog/action-actionlint@d39025c0fb1cc41ac827852403ea94804b0e6907 + uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1 with: reporter: github-pr-check fail_level: any @@ -29,10 +29,10 @@ jobs: - name: Run actionlint on workflows if: ${{ github.event_name == 'push' }} - uses: devops-actions/actionlint@fff09c1c1b540ae616ebbc7e5d49de02b44f9cbb + uses: devops-actions/actionlint@469810fd82c015d3c43815cd2b0e4d02eecc4819 # v0.1.11 - name: Validate local actions if: ${{ always() }} - uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d + uses: bettermarks/composite-action-lint@673212ed410dde8377d1d5bce860152e85064a2d # master with: actions: .github/actions/*/action.y*ml diff --git a/.github/workflows/create-release.yaml b/.github/workflows/create-release.yaml index 1fb457e..cfe8c4b 100644 --- a/.github/workflows/create-release.yaml +++ b/.github/workflows/create-release.yaml @@ -19,19 +19,19 @@ jobs: runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }} steps: - name: Generate GitHub App token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 id: app-token with: app-id: ${{ secrets.GITHUB_APP_ID }} private-key: ${{ secrets.GITHUB_APP_KEY }} - name: Bump version and push tag id: tag_version - uses: mathieudutour/github-tag-action@d745f2e74aaf1ee82e747b181f7a0967978abee0 + uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b # v6.2 with: github_token: ${{ steps.app-token.outputs.token }} - name: Create a GitHub release - uses: ncipollo/release-action@d82d180c1d8147d23544f9d2610bf8a1941af66e + uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1 with: tag: ${{ steps.tag_version.outputs.new_tag }} name: Release ${{ steps.tag_version.outputs.new_tag }} diff --git a/.github/workflows/docker-build.yaml b/.github/workflows/docker-build.yaml index d1ba0a1..233b408 100644 --- a/.github/workflows/docker-build.yaml +++ b/.github/workflows/docker-build.yaml @@ -145,14 +145,14 @@ jobs: scan_artifact_name: docker-build-trivy-scan-report sbom_artifact_name: docker-build-cyclonedx-sbom steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 # Auth ## AWS - - uses: aws-actions/configure-aws-credentials@v6 + - uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 if: inputs.DOCKER_PUSH && inputs.AWS_REGION != '' with: role-to-assume: ${{ secrets.AWS_IAM_ROLE }} @@ -161,11 +161,11 @@ jobs: - name: Login to Amazon ECR if: inputs.DOCKER_PUSH && inputs.AWS_REGION != '' id: ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 ## GHCR - name: Login to GitHub Container Registry if: inputs.DOCKER_PUSH && inputs.REGISTRY == 'ghcr.io' && inputs.AWS_REGION == '' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ inputs.USERNAME != '' && inputs.USERNAME || github.actor }} @@ -173,14 +173,14 @@ jobs: ## Other - name: Login to registry (using username and token) if: inputs.DOCKER_PUSH && inputs.REGISTRY != '' && inputs.REGISTRY != 'ghcr.io' && inputs.USERNAME != '' - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ inputs.REGISTRY }} username: ${{ inputs.USERNAME }} password: ${{ secrets.TOKEN }} - name: Prepare Docker meta id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: ${{ inputs.AWS_REGION != '' && steps.ecr.outputs.registry || inputs.REGISTRY }}/${{ inputs.IMAGE != '' && inputs.IMAGE || github.repository }} flavor: | @@ -215,7 +215,7 @@ jobs: ${{ inputs.CUSTOM_TAGS }} - name: Build and push id: build_push - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 with: platforms: ${{ inputs.DOCKER_PLATFORMS }} context: ${{ inputs.DOCKER_CONTEXT }} @@ -233,7 +233,7 @@ jobs: - name: Run Trivy vulnerability scanner id: security_scan if: ${{ inputs.SECURITY_SCAN_ENABLED && inputs.DOCKER_PUSH }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 env: TRIVY_EXIT_ON_EOL: "1" with: @@ -246,7 +246,7 @@ jobs: severity: "${{ inputs.SECURITY_SCAN_SEVERITY }}" - name: Generate SBOM (CycloneDX) if: ${{ always() && inputs.SBOM_ENABLED && inputs.DOCKER_PUSH }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: "${{ fromJSON(steps.meta.outputs.json).tags[0] }}" hide-progress: true @@ -269,13 +269,13 @@ jobs: fi - name: Upload scan report artifact if: ${{ always() && inputs.SECURITY_SCAN_ENABLED && inputs.DOCKER_PUSH && hashFiles('scan-report.txt') != '' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: docker-build-trivy-scan-report path: scan-report.txt - name: Upload SBOM artifact if: ${{ always() && inputs.SBOM_ENABLED && inputs.DOCKER_PUSH && hashFiles('sbom.json') != '' }} - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7 with: name: docker-build-cyclonedx-sbom path: sbom.json @@ -296,7 +296,7 @@ jobs: - name: Send Slack notification if: ${{ always() && steps.check_slack_webhook.outputs.has_webhook == 'true' && (job.status != 'success' || inputs.SLACK_NOTIFY_ON_SUCCESS) }} continue-on-error: true - uses: slackapi/slack-github-action@fd998911a4a39ce77c6ae6221df1f58471594105 + uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2 with: webhook: ${{ secrets.SLACK_WEBHOOK }} webhook-type: incoming-webhook diff --git a/.github/workflows/functional-tests.yml b/.github/workflows/functional-tests.yml index 231ed47..ad2cf45 100644 --- a/.github/workflows/functional-tests.yml +++ b/.github/workflows/functional-tests.yml @@ -28,13 +28,13 @@ jobs: security_trivy: ${{ steps.filter.outputs.security_trivy }} framework: ${{ steps.filter.outputs.framework }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 - name: Match changed components id: filter - uses: dorny/paths-filter@61f87a10cd2c304679af17bb73ef192addf33c1c + uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4 with: list-files: shell filters: | diff --git a/.github/workflows/helm-release-ecr.yaml b/.github/workflows/helm-release-ecr.yaml index ee270bd..bf14911 100644 --- a/.github/workflows/helm-release-ecr.yaml +++ b/.github/workflows/helm-release-ecr.yaml @@ -98,13 +98,13 @@ jobs: steps: - name: Generate GitHub App token if: ${{ inputs.push_chart && inputs.bump_version_in_git }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 id: app-token with: app-id: ${{ secrets.GITHUB_APP_ID }} private-key: ${{ secrets.GITHUB_APP_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }} fetch-depth: 0 @@ -122,7 +122,7 @@ jobs: - name: Configure AWS credentials (OIDC) if: ${{ inputs.push_chart }} - uses: aws-actions/configure-aws-credentials@v6 + uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6 with: role-to-assume: ${{ inputs.aws_role_to_assume }} aws-region: ${{ inputs.aws_region }} @@ -130,7 +130,7 @@ jobs: - name: Login to Amazon ECR if: ${{ inputs.push_chart }} id: login-ecr - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@183a1442edf41672e66566b7fc560e297a290896 # v2 - name: Run OCI core id: core diff --git a/.github/workflows/helm-release-gar.yaml b/.github/workflows/helm-release-gar.yaml index 3d6da24..7326804 100644 --- a/.github/workflows/helm-release-gar.yaml +++ b/.github/workflows/helm-release-gar.yaml @@ -98,13 +98,13 @@ jobs: steps: - name: Generate GitHub App token if: ${{ inputs.push_chart && inputs.bump_version_in_git }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 id: app-token with: app-id: ${{ secrets.GITHUB_APP_ID }} private-key: ${{ secrets.GITHUB_APP_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }} fetch-depth: 0 @@ -123,7 +123,7 @@ jobs: - name: Authenticate to Google Cloud id: gcp_auth if: ${{ inputs.push_chart }} - uses: google-github-actions/auth@v3 + uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3 with: token_format: access_token workload_identity_provider: ${{ inputs.gcp_workload_identity_provider }} @@ -131,7 +131,7 @@ jobs: - name: Login to GAR if: ${{ inputs.push_chart }} - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: registry: ${{ inputs.gar_registry }} username: oauth2accesstoken diff --git a/.github/workflows/helm-release-github.yaml b/.github/workflows/helm-release-github.yaml index 7bbf850..f300528 100644 --- a/.github/workflows/helm-release-github.yaml +++ b/.github/workflows/helm-release-github.yaml @@ -92,20 +92,20 @@ jobs: steps: - name: Generate GitHub App token if: ${{ inputs.push_chart && inputs.bump_version_in_git }} - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2 id: app-token with: app-id: ${{ secrets.GITHUB_APP_ID }} private-key: ${{ secrets.GITHUB_APP_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.app-token.outputs.token != '' && steps.app-token.outputs.token || github.token }} fetch-depth: 0 - name: Login to GitHub Registry if: ${{ inputs.push_chart }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ inputs.ghcr_registry }} username: ${{ github.actor }} diff --git a/.github/workflows/helm-release-oci-test.yaml b/.github/workflows/helm-release-oci-test.yaml index 39c3978..1cd83bd 100644 --- a/.github/workflows/helm-release-oci-test.yaml +++ b/.github/workflows/helm-release-oci-test.yaml @@ -13,7 +13,7 @@ jobs: name: Case - OCI core action succeeds runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run OCI core action id: core uses: ./.github/actions/helm-release-oci diff --git a/.github/workflows/security-checkov-test.yaml b/.github/workflows/security-checkov-test.yaml index 320c620..6a0cb78 100644 --- a/.github/workflows/security-checkov-test.yaml +++ b/.github/workflows/security-checkov-test.yaml @@ -6,9 +6,12 @@ on: jobs: case_soft_fail_success: + strategy: + matrix: + framework: [terraform, kubernetes, helm] name: Case - soft fail succeeds uses: ./.github/workflows/security-checkov.yaml with: directory: fixtures/security-checkov - framework: terraform,kubernetes,helm + framework: ${{ matrix.framework }} soft_fail: true diff --git a/.github/workflows/security-checkov.yaml b/.github/workflows/security-checkov.yaml index 3a65a8b..ab31daf 100644 --- a/.github/workflows/security-checkov.yaml +++ b/.github/workflows/security-checkov.yaml @@ -9,10 +9,10 @@ on: type: string default: . framework: - description: Checkov frameworks (comma separated list) + description: Checkov framework required: false type: string - default: terraform,kubernetes,helm + default: all soft_fail: description: Do not fail the workflow on findings required: false @@ -39,15 +39,15 @@ permissions: jobs: checkov: - name: Checkov IaC Scan + name: Checkov Scan (${{ inputs.framework }}) runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run Checkov - uses: bridgecrewio/checkov-action@dae50a5e9eb93ac7dc96b2aea92a185131103539 + uses: bridgecrewio/checkov-action@8c07e78c64ddc2209d8c193a4e321aad67677f8d # v12 with: directory: ${{ inputs.directory }} framework: ${{ inputs.framework }} diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml index ef48344..83350a6 100644 --- a/.github/workflows/security-codeql.yml +++ b/.github/workflows/security-codeql.yml @@ -31,16 +31,16 @@ jobs: name: Analyze (${{ inputs.language }}) runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: languages: ${{ inputs.language }} queries: security-extended - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 - name: Analyze - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 diff --git a/.github/workflows/security-dependency-review.yml b/.github/workflows/security-dependency-review.yml index f822e7f..4849946 100644 --- a/.github/workflows/security-dependency-review.yml +++ b/.github/workflows/security-dependency-review.yml @@ -19,9 +19,9 @@ jobs: runs-on: ${{ startsWith(inputs.RUNNER, '[') && fromJSON(inputs.RUNNER) || inputs.RUNNER }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4 with: fail-on-severity: high diff --git a/.github/workflows/security-gitleaks.yml b/.github/workflows/security-gitleaks.yml index ad382f6..207b7ae 100644 --- a/.github/workflows/security-gitleaks.yml +++ b/.github/workflows/security-gitleaks.yml @@ -27,7 +27,7 @@ jobs: GITLEAKS_VERSION: "8.30.0" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 0 diff --git a/.github/workflows/security-scan-test.yml b/.github/workflows/security-scan-test.yml index 2aaa1f8..5275c3b 100644 --- a/.github/workflows/security-scan-test.yml +++ b/.github/workflows/security-scan-test.yml @@ -47,7 +47,7 @@ on: description: Checkov frameworks (comma separated list) required: false type: string - default: terraform,kubernetes,helm + default: all checkov_soft_fail: description: Do not fail Checkov on findings required: false @@ -118,10 +118,10 @@ on: type: string default: fixtures/security-checkov checkov_framework: - description: Checkov frameworks (comma separated list) + description: Checkov framework required: false type: string - default: terraform,kubernetes,helm + default: all checkov_soft_fail: description: Do not fail Checkov on findings required: false diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index cd0ba14..956ec57 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -68,10 +68,10 @@ on: type: string default: "" checkov_framework: - description: Checkov frameworks (comma separated list) + description: Checkov framework required: false type: string - default: terraform,kubernetes,helm + default: all checkov_soft_fail: description: Do not fail Checkov on findings required: false diff --git a/.github/workflows/security-trivy.yml b/.github/workflows/security-trivy.yml index 58ca1df..8f949e9 100644 --- a/.github/workflows/security-trivy.yml +++ b/.github/workflows/security-trivy.yml @@ -85,11 +85,11 @@ jobs: REGISTRY_PASSWORD: ${{ secrets.registry_password }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Log in to container registry if: ${{ inputs.scan_type == 'image' && inputs.registry != '' && inputs.registry_username != '' && env.REGISTRY_PASSWORD != '' }} - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ${{ inputs.registry }} username: ${{ inputs.registry_username }} @@ -97,7 +97,7 @@ jobs: - name: Run Trivy image scan (JSON) if: ${{ inputs.scan_type == 'image' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: image image-ref: ${{ inputs.image_ref }} @@ -112,7 +112,7 @@ jobs: - name: Run Trivy filesystem scan (JSON) if: ${{ inputs.scan_type == 'fs' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: fs scan-ref: ${{ inputs.scan_ref }} @@ -126,7 +126,7 @@ jobs: - name: Run Trivy image scan (SARIF) if: ${{ inputs.scan_type == 'image' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: image image-ref: ${{ inputs.image_ref }} @@ -141,7 +141,7 @@ jobs: - name: Run Trivy filesystem scan (SARIF) if: ${{ inputs.scan_type == 'fs' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: fs scan-ref: ${{ inputs.scan_ref }} @@ -155,7 +155,7 @@ jobs: - name: Run Trivy image scan (text summary) if: ${{ inputs.scan_type == 'image' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: image image-ref: ${{ inputs.image_ref }} @@ -169,7 +169,7 @@ jobs: - name: Run Trivy filesystem scan (text summary) if: ${{ inputs.scan_type == 'fs' }} - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: fs scan-ref: ${{ inputs.scan_ref }} @@ -182,7 +182,7 @@ jobs: - name: Upload SARIF to GitHub Security if: ${{ always() && hashFiles('trivy-report.sarif') != '' }} - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4 with: sarif_file: trivy-report.sarif