[StepSecurity] Apply security best practices (#437)

stepsecurity-app[bot] · web-flow · commit fa9d9d2cb6d2 · 2026-05-22T12:36:16.000-04:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
Co-authored-by: stepsecurity-app[bot] &lt;188008098+stepsecurity-app[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml
@@ -6,7 +6,7 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: contains(github.head_ref, 'other/update_java_wrapper')
     steps:
       - name: Enable auto-merge for Dependabot PRs
diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   cx-scan:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -17,14 +17,14 @@ concurrency:
   cancel-in-progress: true
 jobs:
   testUI:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
@@ -60,29 +60,29 @@ jobs:
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-fails-report
           path: |
             build/reports
       # Save idea log if tests fail
       - name: Save idea log
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: idea.log
           path: |
             idea.log
 
   testUnit:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
@@ -108,14 +108,14 @@ jobs:
 
       # Save coverage report as an artifact
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: unit-coverage-report
           path: plugin-checkmarx-ast/build/reports/jacoco/test/html/
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-fails-report-unit
           path: |
@@ -124,14 +124,14 @@ jobs:
             plugin-checkmarx-devassist/build/reports/tests
 
   testIntegration:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
@@ -153,14 +153,14 @@ jobs:
 
       # Save coverage report as an artifact
       - name: Upload Coverage Report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: integration-coverage-report
           path: plugin-checkmarx-ast/build/reports/jacoco/test/html/
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-fails-report-integration
           path: |
diff --git a/.github/workflows/delete-dev-releases.yml b/.github/workflows/delete-dev-releases.yml
@@ -20,7 +20,7 @@ permissions:
 
 jobs:
   delete:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Delete releases and tags
         continue-on-error: true
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -6,12 +6,12 @@ permissions:
 
 jobs:
   dependabot-merge:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     if: ${{ github.actor == 'dependabot[bot]' }}
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@v1.6.0
+        uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 # v1.6.0
         with:
           github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN  }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v3
+        uses: hmarr/auto-approve-action@7d0ab8fdbb906da8a6297d373561d5ccb137d98f # v3
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
diff --git a/.github/workflows/manual-tag.yml b/.github/workflows/manual-tag.yml
@@ -7,12 +7,17 @@ on:
         description: 'Next release tag'
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   tag-creation:
-    runs-on: ubuntu-latest
+    permissions:
+      contents: write  # for Git to git push
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
       - name: Tag
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   set_tag:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       tag_version: ${{ steps.tagname.outputs.tag_version }}
       ast_version: ${{ steps.tagname.outputs.ast_version }}
diff --git a/.github/workflows/pr-label.yml b/.github/workflows/pr-label.yml
@@ -10,9 +10,9 @@ jobs:
   pr-labeler:
     permissions:
       pull-requests: write  # for TimonVS/pr-labeler-action to add labels in PR
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
-      - uses: TimonVS/pr-labeler-action@v4
+      - uses: TimonVS/pr-labeler-action@8b99f404a073744885d8021d1de4e40c6eaf38e2 # v4.1.1
         with:
           configuration-path: .github/pr-labeler.yml # optional, .github/pr-labeler.yml is the default value
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -100,7 +100,7 @@ env:
 
 jobs:
   resolve:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       releaseType: ${{ steps.vars.outputs.releaseType }}
       ast_version: ${{ steps.vars.outputs.ast_version }}
@@ -139,18 +139,18 @@ jobs:
 
   verify:
     needs: [resolve]
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Free up disk space
         run: |
           sudo rm -rf /usr/share/dotnet
           sudo rm -rf /opt/ghc
           sudo rm -rf /usr/local/lib/android
           sudo docker system prune -af
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
@@ -171,12 +171,12 @@ jobs:
   testIntegration:
     needs: [verify]
     if: ${{ !inputs.skip_tests }}
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
@@ -203,17 +203,17 @@ jobs:
   release:
     needs: [resolve, verify, testIntegration, deleteDevReleases]
     if: ${{ always() && needs.resolve.result == 'success' && needs.verify.result == 'success' && (needs.testIntegration.result == 'success' || needs.testIntegration.result == 'skipped') && (needs.deleteDevReleases.result == 'success' || needs.deleteDevReleases.result == 'skipped') }}
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     outputs:
       TAG_NAME: ${{ steps.set_outputs.outputs.TAG_NAME }}
       CLI_VERSION: ${{ steps.set_outputs.outputs.CLI_VERSION }}
     steps:
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           fetch-depth: 0
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
diff --git a/.github/workflows/test-ui-mac.yml b/.github/workflows/test-ui-mac.yml
@@ -23,15 +23,15 @@ jobs:
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
       - name: Setup FFmpeg
-        uses: FedericoCarboni/setup-ffmpeg@v2
+        uses: FedericoCarboni/setup-ffmpeg@583042d32dd1cabb8bd09df03bde06080da5c87c # v2
         with:
           # Not strictly necessary, but it may prevent rate limit
           # errors especially on GitHub-hosted macos machines.
@@ -58,14 +58,14 @@ jobs:
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-mac-fails-report
           path: build/reports
       # Save idea log if tests fail
       - name: Save idea log
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: idea.log
           path: idea.log
diff --git a/.github/workflows/test-ui-ubuntu.yml b/.github/workflows/test-ui-ubuntu.yml
@@ -18,19 +18,19 @@ env:
 
 jobs:
   testUI:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
       - name: Setup FFmpeg
-        uses: FedericoCarboni/setup-ffmpeg@v2
+        uses: FedericoCarboni/setup-ffmpeg@583042d32dd1cabb8bd09df03bde06080da5c87c # v2
         with:
           # Not strictly necessary, but it may prevent rate limit
           # errors especially on GitHub-hosted macos machines.
@@ -60,14 +60,14 @@ jobs:
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-fails-report
           path: build/reports
       # Save idea log if tests fail
       - name: Save idea log
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: idea.log
           path: idea.log
diff --git a/.github/workflows/test-ui-windows.yml b/.github/workflows/test-ui-windows.yml
@@ -22,15 +22,15 @@ jobs:
     steps:
       # Check out current repository
       - name: Fetch Sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       # Setup Java 11 environment for the next steps
       - name: Setup Java
-        uses: actions/setup-java@v3.13.0
+        uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0
         with:
           distribution: zulu
           java-version: 11
       - name: Setup FFmpeg
-        uses: FedericoCarboni/setup-ffmpeg@v2
+        uses: FedericoCarboni/setup-ffmpeg@583042d32dd1cabb8bd09df03bde06080da5c87c # v2
         with:
           # Not strictly necessary, but it may prevent rate limit
           # errors especially on GitHub-hosted macos machines.
@@ -59,14 +59,14 @@ jobs:
       # Save report if tests fail
       - name: Save fails report
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: test-fails-report
           path: build/reports
       # Save idea log if tests fail
       - name: Save idea log
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: idea.log
           path: idea.log
diff --git a/.github/workflows/update-wrapper-version.yml b/.github/workflows/update-wrapper-version.yml
@@ -14,16 +14,19 @@ on:
   repository_dispatch:
     types: [java-wrapper-version-update]
 
+permissions:
+  contents: read
+
 jobs:
   update-java-wrapper:
-    runs-on: ubuntu-latest
+    runs-on: cx-public-ubuntu-x64
     permissions:
       contents: write
       pull-requests: write
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           ref: ${{ github.event.inputs.base_branch || github.event.repository.default_branch }}
 
