Merge branch 'main' into bug/AST-73370

cx-celso-silva · web-flow · commit d7cde62daa59 · 2025-01-27T08:39:21.000Z
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -171,7 +171,6 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           output: './trivy-image-results.txt'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
         env:
           TRIVY_SKIP_DB_UPDATE: true
           TRIVY_SKIP_JAVA_DB_UPDATE: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -138,6 +138,7 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
   notify:
+    if: inputs.dev == false
     needs: build
     uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
     with:
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM checkmarx/bash:5.2.37-r2
+FROM checkmarx/bash:5.2.37-r2-ef73fbf0f86d3b@sha256:ef73fbf0f86d3b0f1b9d0af383939a482f9ec0b0227fc5a330c70753f2e1da75
 USER nonroot
 
 COPY cx /app/bin/cx
diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -60,7 +60,7 @@ const (
 	containerVolumeFlag             = "-v"
 	containerNameFlag               = "--name"
 	containerRemove                 = "--rm"
-	containerImage                  = "checkmarx/kics:latest"
+	containerImage                  = "checkmarx/kics:v2.1.3"
 	containerScan                   = "scan"
 	containerScanPathFlag           = "-p"
 	containerScanPath               = "/path"
diff --git a/internal/commands/util/remediation.go b/internal/commands/util/remediation.go
@@ -27,7 +27,7 @@ const (
 	filesContainerVolume      = ":/files"
 	resultsContainerLocation  = "/kics/"
 	containerRemove           = "--rm"
-	containerImage            = "checkmarx/kics:latest"
+	containerImage            = "checkmarx/kics:v2.1.3"
 	containerNameFlag         = "--name"
 	remediateCommand          = "remediate"
 	resultsFlag               = "--results"

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM checkmarx/bash:5.2.37-r2`
	`1`	`+FROM checkmarx/bash:5.2.37-r2-ef73fbf0f86d3b@sha256:ef73fbf0f86d3b0f1b9d0af383939a482f9ec0b0227fc5a330c70753f2e1da75`
`2`	`2`	`USER nonroot`
`3`	`3`
`4`	`4`	`COPY cx /app/bin/cx`