Skip to content

Commit a26b614

Browse files
committed
chore: pin GitHub Actions to commit SHAs for supply-chain security
1 parent ce61c90 commit a26b614

1 file changed

Lines changed: 6 additions & 6 deletions

File tree

.github/workflows/security-audit.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,21 +18,21 @@ jobs:
1818
name: Gitleaks (secret history)
1919
runs-on: ubuntu-latest
2020
steps:
21-
- uses: actions/checkout@v4
21+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2222
with:
2323
fetch-depth: 0
24-
- uses: gitleaks/gitleaks-action@v2
24+
- uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2
2525
env:
2626
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2727

2828
trufflehog:
2929
name: TruffleHog (verified secrets)
3030
runs-on: ubuntu-latest
3131
steps:
32-
- uses: actions/checkout@v4
32+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3333
with:
3434
fetch-depth: 0
35-
- uses: trufflesecurity/trufflehog@main
35+
- uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6 # v3.94.3
3636
with:
3737
path: ./
3838
base: ${{ github.event.repository.default_branch }}
@@ -45,7 +45,7 @@ jobs:
4545
container:
4646
image: semgrep/semgrep
4747
steps:
48-
- uses: actions/checkout@v4
48+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
4949
- run: semgrep ci --config=p/secrets --config=p/owasp-top-ten --config=p/javascript --config=p/typescript --config=p/python
5050
env:
5151
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
@@ -56,7 +56,7 @@ jobs:
5656
if: failure()
5757
runs-on: ubuntu-latest
5858
steps:
59-
- uses: actions/github-script@v7
59+
- uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
6060
with:
6161
script: |
6262
const title = `Security audit failed: ${new Date().toISOString().split('T')[0]}`;

0 commit comments

Comments
 (0)