diff --git a/.github/workflows/ossf.yml b/.github/workflows/ossf.yml index ca0a9d0..2531df5 100644 --- a/.github/workflows/ossf.yml +++ b/.github/workflows/ossf.yml @@ -41,6 +41,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 6df43b4..f42bef3 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -30,7 +30,7 @@ jobs: soft_fail: ${{ github.event_name != 'pull_request' }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: results.sarif @@ -65,7 +65,7 @@ jobs: db-file: matcher.db - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: clair_results.sarif @@ -80,7 +80,7 @@ jobs: - uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1 - - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: devskim-results.sarif @@ -111,7 +111,7 @@ jobs: GITHUB_TOKEN: ${{ github.token }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: results.sarif @@ -133,7 +133,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -165,7 +165,7 @@ jobs: IMAGE_ID: ${{ steps.build.outputs.imageid }} - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -192,7 +192,7 @@ jobs: bom: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: results.sarif @@ -226,7 +226,7 @@ jobs: path: megalinter-reports - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: megalinter-reports/megalinter-report.sarif ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) || github.ref }} @@ -258,7 +258,7 @@ jobs: - uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1 id: msdo - - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} @@ -269,7 +269,7 @@ jobs: security-events: write if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 # v2 osv-scan-push: permissions: @@ -278,7 +278,7 @@ jobs: security-events: write if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} - uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@b77c075a1235514558f0eb88dbd31e22c45e0cd2 # v2 + uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@375a0e8ebdc98e99b02ac4338a724f5750f21213 # v2 with: fail-on-vuln: false @@ -306,7 +306,7 @@ jobs: only-fixed: true - if: ${{ success() || failure() }} - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: ${{ steps.grype.outputs.sarif }} @@ -337,7 +337,7 @@ jobs: scanners: vuln,secret,misconfig skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: trivy-results.sarif @@ -376,7 +376,7 @@ jobs: severity: HIGH,CRITICAL skip-setup-trivy: true - - uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4 + - uses: github/codeql-action/upload-sarif@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4 with: sarif_file: trivy-results.sarif @@ -390,7 +390,7 @@ jobs: with: fetch-depth: (${{ github.event.pull_request.commits || 2 }} + 1) - - uses: trufflesecurity/trufflehog@821e8b9e5cdf8dc484dd23e06f78941fcf6b9191 # v3 + - uses: trufflesecurity/trufflehog@05cccb53bc9e13bc6d17997db5a6bcc3df44bf2f # v3 with: extra_args: --results=verified,unknown