fix(security): remediate code scanning findings across workflows and scripts#12
Merged
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| - name: Generate badges | ||
| uses: docker://ghcr.io/chipwolf/badgesort:latest | ||
| uses: docker://ghcr.io/chipwolf/badgesort@sha256:a0b74fd865d8c93040f74c865272421e6ba4cdeb4b882990548f90e2debed04a |
Check notice
Code scanning / KICS (MegaLinter REPOSITORY_KICS)
Unpinned Actions Full Length Commit SHA Note
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Contributor
|
You have used all of your free Bugbot PR reviews. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
cursor
Bot
changed the title
Contributor
…scripts Pin GitHub Actions and container references, tighten workflow permissions, and harden installer/profile scripts to eliminate flagged risky patterns. Also update Dockerfile security posture and shell lint issues while preserving existing behavior. Made-with: Cursor
* Initial plan * chore: remove bootstrap-sha from release-please-config Co-authored-by: ChipWolf <3164166+ChipWolf@users.noreply.github.com> Agent-Logs-Url: https://github.com/ChipWolf/dotfiles/sessions/bc6eb169-ea92-4fad-b9aa-20a78a277213 --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: ChipWolf <3164166+ChipWolf@users.noreply.github.com>
Co-authored-by: Chip Wolf <ChipWolf@users.noreply.github.com>
ChipWolf
force-pushed
the
fix/code-scanning-remediation
branch
from
6a34285 to
94beb31
Compare
|
You have used all of your free Bugbot PR reviews. To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…scripts
Pin GitHub Actions and container references, tighten workflow permissions, and harden installer/profile scripts to eliminate flagged risky patterns. Also update Dockerfile security posture and shell lint issues while preserving existing behavior.
Made-with: Cursor
Note
Medium Risk
Moderate risk because it changes CI/release workflows, the Codespaces build image base, and Windows shell bootstrap execution paths, which could break automation if pins/permissions or script invocation differs from prior behavior.
Overview
Security hardening across CI workflows and bootstrap scripts. Workflows now set explicit top-level
permissionsand pin third-party actions/images by commit SHA/digest (BadgeSort, MegaLinter, Release Please, Docker actions, SARIF upload), reducing supply-chain risk.Updates the Codespaces overlay
Dockerfileto use a versioneddevcontainers/universal:2base, adjust ownership handling duringCOPY, and add a lightweightHEALTHCHECK.Refactors Windows PowerShell init/installer scripts to avoid direct
Invoke-Expressionpatterns (generate init scripts then execute viaScriptBlock; Chocolatey bootstrap downloaded to disk and run in a separate process with per-process execution policy), plus a small shell output tweak inbrew-reviewand arelease-please-config.jsonbootstrap-shavalue change.Written by Cursor Bugbot for commit 071ffb6. This will update automatically on new commits. Configure here.