@@ -40,13 +40,15 @@ jobs:
4040 outputs :
4141 image-id : ${{ steps.build.outputs.imageid }}
4242 steps :
43- - uses : step-security/harden-runner@v2
43+ - uses : step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
4444 with :
4545 egress-policy : audit
4646 - uses : actions/checkout@v4
47- - uses : docker/setup-buildx-action@v3
47+ with :
48+ persist-credentials : false
49+ - uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
4850 - id : build
49- uses : docker/build-push-action@v6
51+ uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
5052 with :
5153 context : .
5254 push : false
@@ -63,26 +65,40 @@ jobs:
6365 contents : read
6466 security-events : write
6567 steps :
66- - uses : step-security/harden-runner@v2
68+ - uses : step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
6769 with :
6870 egress-policy : audit
6971 - uses : actions/checkout@v4
70- - uses : docker/setup-buildx-action@v3
71- - uses : docker/build-push-action@v6
72+ with :
73+ persist-credentials : false
74+ - uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
75+ - uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
7276 with :
7377 context : .
7478 push : false
7579 load : true
7680 tags : springtale-local:ci
7781 cache-from : type=gha
78- - uses : aquasecurity/trivy-action@0.28 .0
82+ - uses : aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36 .0
7983 with :
8084 image-ref : springtale-local:ci
8185 format : sarif
8286 output : trivy.sarif
8387 severity : HIGH,CRITICAL
8488 exit-code : ' 1'
89+ # CRITICAL: in SARIF mode `severity` does NOT filter the report, and
90+ # `exit-code` then fires on ANY finding in it (including LOW). This
91+ # makes the severity filter apply to the SARIF + exit-code, so the
92+ # job gates only on HIGH/CRITICAL — not the LOW rust-dep advisories
93+ # (rand/lru/rpassword) which cargo-audit already tracks.
94+ limit-severities-for-sarif : true
95+ # Only fail on FIXABLE vulnerabilities — un-actionable upstream
96+ # base-OS CVEs (debian "wont-fix") can't be patched from here and are
97+ # picked up automatically when the distroless base is rebuilt.
8598 ignore-unfixed : true
99+ # vuln-only: secret scanning is owned by secrets.yml (gitleaks +
100+ # trufflehog) and false-positives on compiled-binary strings here.
101+ scanners : vuln
86102 - uses : github/codeql-action/upload-sarif@v3
87103 if : always()
88104 with :
@@ -97,23 +113,30 @@ jobs:
97113 contents : read
98114 security-events : write
99115 steps :
100- - uses : step-security/harden-runner@v2
116+ - uses : step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
101117 with :
102118 egress-policy : audit
103119 - uses : actions/checkout@v4
104- - uses : docker/setup-buildx-action@v3
105- - uses : docker/build-push-action@v6
120+ with :
121+ persist-credentials : false
122+ - uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
123+ - uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
106124 with :
107125 context : .
108126 push : false
109127 load : true
110128 tags : springtale-local:ci
111129 cache-from : type=gha
112- - uses : anchore/scan-action@v6
130+ - uses : anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
113131 with :
114132 image : springtale-local:ci
115133 fail-build : true
116134 severity-cutoff : high
135+ # Only fail on vulnerabilities with an available fix — mirrors
136+ # Trivy's ignore-unfixed. The base's libc6 HIGH/CRITICAL CVEs are all
137+ # debian "wont-fix" (CVE-2026-5450/5435/5928 + the disputed glibc
138+ # set), so they're un-actionable until distroless rebuilds.
139+ only-fixed : true
117140 output-format : sarif
118141 output-file : grype.sarif
119142 - uses : github/codeql-action/upload-sarif@v3
@@ -129,24 +152,26 @@ jobs:
129152 permissions :
130153 contents : read
131154 steps :
132- - uses : step-security/harden-runner@v2
155+ - uses : step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2
133156 with :
134157 egress-policy : audit
135158 - uses : actions/checkout@v4
136- - uses : docker/setup-buildx-action@v3
137- - uses : docker/build-push-action@v6
159+ with :
160+ persist-credentials : false
161+ - uses : docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
162+ - uses : docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
138163 with :
139164 context : .
140165 push : false
141166 load : true
142167 tags : springtale-local:ci
143168 cache-from : type=gha
144- - uses : anchore/sbom-action@v0
169+ - uses : anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
145170 with :
146171 image : springtale-local:ci
147172 format : cyclonedx-json
148173 output-file : image-sbom.cdx.json
149- - uses : anchore/sbom-action@v0
174+ - uses : anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
150175 with :
151176 image : springtale-local:ci
152177 format : spdx-json
0 commit comments