From 0a7e1592c3bd2dbfa6b7f1c77e1483b347b96491 Mon Sep 17 00:00:00 2001
From: Gonzalo Diaz <devel@gon.cl>
Date: Sun, 7 Sep 2025 21:20:10 -0300
Subject: [PATCH 1/2] [BUGFIX] sonarcloud security hotspot: Docker image
 running production as root.

---
 Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 389ab1b..a1511f2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -125,4 +125,6 @@ RUN addgroup \
     "$USER" \
 &&  ls -alhR
 
+USER $USER
+
 CMD ["make", "run"]

From e6560216bc25bbd120f473223b5e392ccdddcf48 Mon Sep 17 00:00:00 2001
From: Gonzalo Diaz <devel@gon.cl>
Date: Sun, 7 Sep 2025 21:28:25 -0300
Subject: [PATCH 2/2] [BUGFIX] sonarcloud security hotspot: use hashes instead
 of release tags

---
 .github/workflows/gitleaks.yml      |  4 +++-
 .github/workflows/rust-coverage.yml | 10 +++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml
index e804ea2..d978e7a 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks.yml
@@ -25,8 +25,10 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@v2
+      # yamllint disable rule:line-length
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # Only required for Organizations, not personal accounts.
           # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}}
+          # yamllint enable rule:line-length
diff --git a/.github/workflows/rust-coverage.yml b/.github/workflows/rust-coverage.yml
index 89125ca..b5c29cb 100644
--- a/.github/workflows/rust-coverage.yml
+++ b/.github/workflows/rust-coverage.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Install Rust
         run: rustup update stable
       - name: Install cargo-llvm-cov
-        uses: taiki-e/install-action@cargo-llvm-cov
+        uses: taiki-e/install-action@7a9da991c71dfd905b2ee8252a9ce162f176dc6f
       - name: Install Clippy
         run: rustup component add clippy
       - name: Install cargo-sonar and run Clippy
@@ -59,12 +59,14 @@ jobs:
         with:
           name: coverage-report
 
+      # yamllint disable rule:line-length
       - name: Upload coverage reports to Codecov with GitHub Action
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5
         with:
           files: lcov.info
           token: ${{ secrets.CODECOV_TOKEN }} # required
           verbose: true # optional (default = false)
+          # yamllint enable rule:line-length
 
   sonarqube:
     name: SonarQube
@@ -80,8 +82,9 @@ jobs:
         uses: actions/download-artifact@v5
         with:
           name: coverage-report
+      # yamllint disable rule:line-length
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@master
+        uses: SonarSource/sonarqube-scan-action@1a6d90ebcb0e6a6b1d87e37ba693fe453195ae25 # v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -89,3 +92,4 @@ jobs:
           args: >
             -Dsonar.externalIssuesReportPaths=sonar-issues.json
             -Dsonar.rust.clippy.reportPaths=my-clippy-report.json
+      # yamllint enable rule:line-length