feat: ignore official/known actions (#233)

Closes #6971 **Proposed Changes** Changed all gh actions to include full commit sha **Checklist** - [ ] I covered my changes with tests. - [X] I updated the documentation that is affected by my changes: - [ ] Change in the CLI arguments - [ ] Change in the configuration file I submit this contribution under the Apache-2.0 license.
Checkmarx · Apr 12, 2024 · faa6f1d · faa6f1d
1 parent ef0034d
commit faa6f1d
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 26 deletions.
diff --git a/.github/workflows/new-rules.yml b/.github/workflows/new-rules.yml
@@ -9,8 +9,8 @@ jobs:
   update_secrets:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "^1.22"
       - name: Check Gitleaks new rules

diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - name: Mark as Community if PR is from a fork
         if: github.event.pull_request.head.repo.full_name != github.repository
-        uses: actions/github-script@v6
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
             github.rest.issues.addLabels({

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -16,11 +16,11 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0 # Required for 2ms to have visibility to all commit history
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "^1.22"
 
@@ -42,10 +42,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
 
       - run: make build
       - name: docker run
@@ -55,23 +55,22 @@ jobs:
   kics:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - run: mkdir -p kics-results
 
       - name: Run KICS scan
-        uses: checkmarx/kics-github-action@master
+        uses: checkmarx/kics-github-action@03c9abe351b01c3e4dbe60fa00ff79ee07d73f44 # master
         with:
           path: .
           output_path: kics-results
           output_formats: json,sarif
           enable_comments: ${{ github.event_name == 'pull_request'}}
           fail_on: high,medium
           enable_jobs_summary: true
-          exclude_queries: 555ab8f9-2001-455e-a077-f2d0f41e2fb9 # https://github.com/Checkmarx/kics/issues/6971
       - name: Show KICS results
         if: failure()
         run: cat kics-results/results.json
       # - name: Upload SARIF file
-      #   uses: github/codeql-action/upload-sarif@v3
+      #   uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a #v3.24.10
       #   with:
       #     sarif_file: kics-results/results.sarif
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,11 +16,11 @@ jobs:
       notes: ${{ steps.semantic_release_info.outputs.notes }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0 # Required for 2ms to have visibility to all commit history
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "^1.22"
       - name: Go Linter
@@ -32,7 +32,7 @@ jobs:
       - name: Gets release info
         id: semantic_release_info
         if: github.event_name == 'workflow_dispatch'
-        uses: jossef/action-semantic-release-info@v3.0.0
+        uses: jossef/action-semantic-release-info@277fc891fc5ac40ed0e8d6bf59a0e24a25dfdeac #v3.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -43,9 +43,9 @@ jobs:
     if: ${{ needs.test.outputs.git_tag }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "^1.22"
 
@@ -97,10 +97,10 @@ jobs:
           rm dist/2ms.exe
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
 
       - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 #v3.1.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -116,7 +116,7 @@ jobs:
             dist/*.zip
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0
         with:
           context: .
           platforms: linux/amd64,linux/arm64

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -18,21 +18,21 @@ jobs:
       GO111MODULE: on
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
+        uses: securego/gosec@26e57d6b340778c2983cd61775bc7e8bb41d002a # v2.19.0
         with:
           args: "-no-fail -fmt sarif -out results.sarif -exclude-dir=.ci -exclude-dir=tests ./..."
       - name: Upload Gosec Results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a #v3.24.10
         with:
           sarif_file: results.sarif
 
   secret-scanning:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Source
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - name: Run 2ms Scan

diff --git a/.github/workflows/validate-readme.yml b/.github/workflows/validate-readme.yml
@@ -11,8 +11,8 @@ jobs:
     name: README should be updated
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version: "^1.22"
 

diff --git a/README.md b/README.md
@@ -97,7 +97,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # Required for 2ms to have visibility to all commit history
           fetch-depth: 0