diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 533c0a17e..9f0549e05 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -171,7 +171,6 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' output: './trivy-image-results.txt' - severity: 'CRITICAL,HIGH,MEDIUM,LOW' env: TRIVY_SKIP_DB_UPDATE: true TRIVY_SKIP_JAVA_DB_UPDATE: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 52f26f37a..3d8a772d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -138,6 +138,7 @@ jobs: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} notify: + if: inputs.dev == false needs: build uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main with: diff --git a/Dockerfile b/Dockerfile index fc971ac09..768983533 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM checkmarx/bash:5.2.37-r2 +FROM checkmarx/bash:5.2.37-r2-ef73fbf0f86d3b@sha256:ef73fbf0f86d3b0f1b9d0af383939a482f9ec0b0227fc5a330c70753f2e1da75 USER nonroot COPY cx /app/bin/cx diff --git a/internal/commands/scan.go b/internal/commands/scan.go index f26973a13..d04a0727f 100644 --- a/internal/commands/scan.go +++ b/internal/commands/scan.go @@ -60,7 +60,7 @@ const ( containerVolumeFlag = "-v" containerNameFlag = "--name" containerRemove = "--rm" - containerImage = "checkmarx/kics:latest" + containerImage = "checkmarx/kics:v2.1.3" containerScan = "scan" containerScanPathFlag = "-p" containerScanPath = "/path" diff --git a/internal/commands/util/remediation.go b/internal/commands/util/remediation.go index 79081dd9f..dcd9c0066 100644 --- a/internal/commands/util/remediation.go +++ b/internal/commands/util/remediation.go @@ -27,7 +27,7 @@ const ( filesContainerVolume = ":/files" resultsContainerLocation = "/kics/" containerRemove = "--rm" - containerImage = "checkmarx/kics:latest" + containerImage = "checkmarx/kics:v2.1.3" containerNameFlag = "--name" remediateCommand = "remediate" resultsFlag = "--results"