Skip to content

Fix SLSA provenance#191

Closed
dorssel wants to merge 1 commit into
mainfrom
slsa
Closed

Fix SLSA provenance#191
dorssel wants to merge 1 commit into
mainfrom
slsa

Conversation

@dorssel

@dorssel dorssel commented Jun 28, 2026

Copy link
Copy Markdown
Owner

This PR exists just to silence GitHub from suggesting to create one. This PR will be closed (without merge) immediately.

The 'slsa' branch exists just to fix the fact that we want hash-pinning of actions, but generator_generic_slsa3 only works with version pinning.

@dorssel dorssel closed this Jun 28, 2026
@github-actions

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml 2.1.0 🟢 6.6
Details
CheckScoreReason
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Security-Policy🟢 10security policy file detected
Dependency-Update-Tool🟢 10update tool detected
Code-Review🟢 10all changesets reviewed
Binary-Artifacts🟢 10no binaries found in the repo
Packaging⚠️ -1packaging workflow not detected
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
License🟢 10license file detected
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
CII-Best-Practices🟢 5badge detected: Passing
Signed-Releases🟢 105 out of the last 5 releases have a total of 5 signed artifacts.
SAST🟢 7SAST tool detected but not run on all commits
Fuzzing⚠️ 0project is not fuzzed
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
CI-Tests⚠️ 27 out of 28 merged PRs checked by a CI test -- score normalized to 2
Vulnerabilities⚠️ 0143 existing vulnerabilities detected
Contributors🟢 10project has 33 contributing companies or organizations

Scanned Files

  • .github/workflows/slsa.yml

@codecov

codecov Bot commented Jun 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (f4284ac) to head (6621a38).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff            @@
##              main      #191   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            4         4           
  Lines           81        81           
  Branches        14        14           
=========================================
  Hits            81        81           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

@github-actions

Copy link
Copy Markdown
Contributor

MegaLinter analysis: Error

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 7 0 0 0.07s
❌ ACTION zizmor 7 15 0 1.95s
✅ EDITORCONFIG editorconfig-checker 55 0 0 0.04s
✅ JSON jsonlint 3 0 0 0.09s
✅ JSON prettier 3 0 0 0.5s
✅ JSON v8r 3 0 0 4.86s
✅ MARKDOWN markdownlint 2 0 0 0.71s
✅ MARKDOWN markdown-table-formatter 2 0 0 0.28s
✅ REPOSITORY checkov yes no no 20.68s
✅ REPOSITORY gitleaks yes no no 0.24s
✅ REPOSITORY git_diff yes no no 0.01s
✅ REPOSITORY grype yes no no 47.21s
✅ REPOSITORY osv-scanner yes no no 0.59s
✅ REPOSITORY secretlint yes no no 1.11s
✅ REPOSITORY syft yes no no 3.87s
✅ REPOSITORY trivy-sbom yes no no 4.95s
✅ REPOSITORY trufflehog yes no no 3.38s
✅ XML xmllint 5 0 0 0.57s
✅ YAML prettier 12 0 0 0.95s
✅ YAML v8r 12 0 0 8.98s
✅ YAML yamllint 12 0 0 1.36s

Detailed Issues

❌ ACTION / zizmor - 15 errors
INFO zizmor: 🌈 zizmor v1.25.0
 INFO audit: zizmor: 🌈 completed .github/workflows/codeql.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/devskim.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/dotnet.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/mega-linter.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/nuget.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/reuse.yml
 INFO audit: zizmor: 🌈 completed .github/workflows/slsa.yml
error[unpinned-uses]: unpinned action reference
  --> .github/workflows/slsa.yml:66:11
   |
66 |     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # f7dd8c54c2067bafc12ca7a55595d5...
   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix
   = help: audit documentation → https://docs.zizmor.sh/audits/#unpinned-uses

15 findings (14 suppressed, 1 unsafe fixes): 0 informational, 0 low, 0 medium, 1 high

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant