security: digest-pin Dockerfile base images

[cx-artur-ribeiro]

Pin both FROM images by SHA256 digest so a repushed/poisoned tag on the upstream registry cannot flow into the Action build. SHA-pinning the GitHub Action alone is insufficient because the Docker image tag remains mutable on Docker Hub.

I've downgraded kics to version 2.1.19 for now:

• checkmarx/kics: v2.1.20 -> v2.1.19 -> sha256
• cgr.dev/chainguard/wolfi-base:latest -> sha256

The tag is kept alongside the digest as a human-readable intent marker;
Docker resolves the pull by digest, so a mismatched tag republish fails closed instead of silently substituting content.

Thanks to @bsgrigorov and everyone involved for bringing this issue to our attention.

[github-actions]

KICS version: v2.1.19

Category Results CRITICAL 0 HIGH 1 MEDIUM 3 LOW 1 INFO 0 TRACE 0 TOTAL 5	Metric Values Files scanned 2 Files parsed 2 Files failed to scan 0 Total executed queries 1099 Queries failed to execute 0 Execution time 20

Queries Results

Query Name Query Id Severity Platform Cwe Risk Score Category Experimental Description File Name Line Issue Type Search Key Expected Value Actual Value Resource Type Resource Name Remediation Remediation Type Passwords And Secrets - Generic Password 487f4be7-3fd9-4506-a07a-eae252180c08 HIGH Common 798 7.8 Secret Management false Query to find passwords and secrets in infrastructure code. test/samples/positive1.tf 12 RedundantAttribute Hardcoded secret key should not appear in source Hardcoded secret key appears in source AD Admin Not Configured For SQL Server a3a055d2-9a2e-4cc9-b9fb-12850a1a3a4b MEDIUM Terraform 732 5.9 Insecure Configurations false The Active Directory Administrator is not configured for a SQL server test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] A 'azurerm_sql_active_directory_administrator' should be defined for 'azurerm_sql_server[positive2]' A 'azurerm_sql_active_directory_administrator' is not defined for 'azurerm_sql_server[positive2]' azurerm_sql_server mysqlserver1 Admin User Enabled For Container Registry b897dfbf-322c-45a8-b67c-1e698beeaa51 MEDIUM Terraform 732 5.4 Access Control false Admin user is enabled for Container Registry test/samples/positive2.tf 11 IncorrectValue azurerm_container_registry[positive2].admin_enabled 'admin_enabled' equal 'false' 'admin_enabled' equal 'true' azurerm_container_registry containerRegistry1 {"after":"false","before":"true"} replacement SQL Server Auditing Disabled f7e296b0-6660-4bc5-8f87-22ac4a815edf MEDIUM Terraform 778 6.4 Observability false Make sure that for SQL Servers, 'Auditing' is set to 'On' test/samples/positive1.tf 6 MissingAttribute azurerm_sql_server[positive2] 'azurerm_sql_server.positive2.extended_auditing_policy' should exist 'azurerm_sql_server.positive2.extended_auditing_policy' does not exist azurerm_sql_server mysqlserver1 SQL Server Predictable Active Directory Account Name bcd3fc01-5902-4f2a-b05a-227f9bbf5450 LOW Terraform 522 2.9 Best Practices false Azure SQL Server must avoid using predictable Active Directory Administrator Account names, like 'Admin', which means the attribute 'login' must be set to a name that is not easy to predict test/samples/positive1.tf 18 IncorrectValue azurerm_sql_active_directory_administrator[positive3].login 'azurerm_sql_active_directory_administrator[positive3].login' should not be predictable' 'azurerm_sql_active_directory_administrator[positive3].login' is predictable azurerm_sql_active_directory_administrator positive3