TEST: Some test to check CLI v2 upload #8
Conversation
machadoit
changed the title
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
| codacy/codacy-analysis-cli \ | ||
| analyze --tool eslint --upload --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} --max-allowed-issues 99999 --commit-uuid $GITHUB_SHA | ||
| - name: Run Codacy CLI | ||
| uses: codacy/codacy-cli-v2-action@main |
There was a problem hiding this comment.
🚫 Codacy found a high Security issue: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
The issue identified by the Semgrep linter is that the GitHub Action codacy/codacy-cli-v2-action@main is being referenced using a branch name (main). This practice can lead to unpredictability, as the action may change if new commits are pushed to the branch. Instead, it's recommended to pin the action to a specific commit SHA to ensure that the action remains immutable and consistent across builds.
To fix this issue, you should replace main with the full-length commit SHA of the specific version of the action you want to use. You can find the commit SHA from the repository's commit history on GitHub.
Here’s the code suggestion to implement this change:
| uses: codacy/codacy-cli-v2-action@main | |
| uses: codacy/codacy-cli-v2-action@<full-length-commit-SHA> |
Make sure to replace <full-length-commit-SHA> with the actual SHA you want to pin to.
This comment was generated by an experimental AI tool.
No description provided.