fix(security): pin Semgrep CI container image by SHA digest (#15)

sunny-se · claude · web-flow · commit 93d2f4896f4a · 2026-05-27T15:12:31.000+05:30
F-004 / DEVA11Y-476 — The Semgrep workflow used an unpinned image tag
(CWE-829), enabling tag-poisoning attacks. Pin to SHA256 digest.
This is the chain-breaker for C-001 (DEVA11Y-485, CVSS 10.0).

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
@@ -26,8 +26,9 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
+      # To update: docker manifest inspect returntocorp/semgrep:latest
+      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')
