l3montree-dev · timbastin · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026 · Mar 2, 2026
diff --git a/.github/workflows/devguard-scanner.yaml b/.github/workflows/devguard-scanner.yaml
@@ -6,24 +6,20 @@ on:
   workflow_dispatch:
   push:
 
-permissions:
-  contents: write
-  actions: read
-  security-events: write
-  packages: write
-
-
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
       with:
         submodules: recursive
+        persist-credentials: false
     - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
       with:
-        go-version: '1.25.5'
+        go-version: '1.25.6'
         cache: false
     - name: golangci-lint
       uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0 - https://github.com/golangci/golangci-lint-action/releases/tag/v8.0.0
@@ -34,16 +30,18 @@ jobs:
   tests:
     name: tests
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: read
     steps:
     - name: Check out code
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
       with:
         submodules: recursive
+        persist-credentials: false
     - name: Set up Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
       with:
-        go-version: '1.25.5'
+        go-version: '1.25.6'
 
     - name: Run unittests
       run: go test $(go list ./... | grep -v "/mocks") -coverprofile=coverage.out && go tool cover -func=coverage.out
@@ -56,6 +54,11 @@ jobs:
 
   devguard:
     uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
+    permissions:
+      contents: write
+      actions: read
+      security-events: write
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
@@ -70,6 +73,9 @@ jobs:
 
   build-scanner-image:
     uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       artifact-name: "pkg:oci/scanner?repository_url=ghcr.io/l3montree-dev/devguard/scanner"
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
@@ -83,6 +89,9 @@ jobs:
   # Image scanning job to detect vulnerabilities in the built Docker image
   scanner-container-scanning:
     uses: l3montree-dev/devguard-action/.github/workflows/container-scanning.yml@main
+    permissions:
+      contents: read
+      security-events: write
     needs: 
     - build-scanner-image
     with:
@@ -97,11 +106,14 @@ jobs:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
   deploy-scanner:
-    needs: 
+    needs:
     - build-scanner-image
     - scanner-container-scanning
     - tests
     uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
@@ -110,11 +122,14 @@ jobs:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}     
 
   sign-scanner:
-    needs: 
+    needs:
     - build-scanner-image
     - scanner-container-scanning
     - tests
     uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
@@ -124,11 +139,14 @@ jobs:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
   attest-scanner:
-    needs: 
+    needs:
     - build-scanner-image
     - scanner-container-scanning
     - tests
     uses: l3montree-dev/devguard-action/.github/workflows/attest.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard
       api-url: https://api.main.devguard.org
@@ -140,6 +158,8 @@ jobs:
   release:
     name: Build and Release Binaries
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     # needs: [golangci, tests, sign-scanner, devguard]
     if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/test-release'
     outputs:
@@ -149,16 +169,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@v5
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Set up Go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
         with:
-          go-version: '1.25'
+          go-version: '1.25.6'
+          cache: false
 
       - name: Get tag
         id: tag
         run: |
-          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
             echo "tag=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT
             echo "TAG_NO_V=${GITHUB_REF_NAME#v}" >> $GITHUB_ENV
           else
@@ -170,7 +192,7 @@ jobs:
           mkdir -p dist
 
           # Build flags for security-hardened binaries
-          BUILD_FLAGS="-s -w -buildid= -X main.version=${{ steps.tag.outputs.tag }} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
+          BUILD_FLAGS="-s -w -buildid= -X main.version=${STEPS_TAG_OUTPUTS_TAG} -X main.commit=${{ github.sha }} -X main.date=$(date -u +%Y-%m-%dT%H:%M:%SZ) -X main.builtBy=github-actions"
 
           # Build for Linux amd64
           GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-linux-amd64 ./cmd/devguard-scanner
@@ -189,6 +211,8 @@ jobs:
 
           # Build for macOS arm64
           GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -ldflags="$BUILD_FLAGS" -o dist/devguard-scanner-darwin-arm64 ./cmd/devguard-scanner
+        env:
+          STEPS_TAG_OUTPUTS_TAG: ${{ steps.tag.outputs.tag }}
 
       - name: Create archives
         run: |
@@ -231,7 +255,7 @@ jobs:
             "
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         with:
           tag_name: ${{ steps.tag.outputs.tag }}
           name: "DevGuard Scanner ${{ steps.tag.outputs.tag }}"

diff --git a/.github/workflows/documentation_policy_check.yml b/.github/workflows/documentation_policy_check.yml
@@ -1,6 +1,8 @@
 name: Documentation Policy Check
 on:
   pull_request:
+permissions:
+  contents: read
 jobs:
 #  naming_convention_check:
 #   uses: l3montree-dev/devguard-action/.github/workflows/naming-convention.yml@add-documentation-policy

diff --git a/.github/workflows/postgresql.yaml b/.github/workflows/postgresql.yaml
@@ -7,13 +7,15 @@ on:
 
 permissions:
   contents: read
-  packages: write
 
 # There is a single job in this workflow. It's configured to run on the latest available version of Ubuntu.
 jobs:
   # Docker image build job
   build-image:
     uses: l3montree-dev/devguard-action/.github/workflows/build-image.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       artifact-name: "postgresql"
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
@@ -38,10 +40,13 @@ jobs:
       devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
 
   deploy:
-    needs: 
+    needs:
     - build-image
     - container-scanning
     uses: l3montree-dev/devguard-action/.github/workflows/deploy.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
       api-url: https://api.main.devguard.org
@@ -51,10 +56,13 @@ jobs:
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')
 
   sign:
-    needs: 
+    needs:
     - build-image
     - container-scanning
     uses: l3montree-dev/devguard-action/.github/workflows/sign.yml@main
+    permissions:
+      contents: read
+      packages: write
     with:
       asset-name: l3montree-cybersecurity/projects/devguard/assets/devguard-postgresql
       api-url: https://api.main.devguard.org

diff --git a/.github/workflows/vulndb.yaml b/.github/workflows/vulndb.yaml
@@ -54,10 +54,12 @@ jobs:
           PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "CREATE EXTENSION IF NOT EXISTS semver;"
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - https://github.com/actions/checkout/releases/tag/v5.0.0
+        with:
+          persist-credentials: false
       - name: Install Golang
         uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 - https://github.com/actions/setup-go/releases/tag/v5.5.0
         with:
-          go-version: 1.25
+          go-version: "1.25"
       - name: Import the last database version (this takes some time)
         if: ${{ github.event.inputs.run_import == 'true' || github.event.inputs.run_import == null }}
         run: |
@@ -97,7 +99,7 @@ jobs:
         if: ${{  github.event.inputs.run_generate_snapshot == 'false' || github.event.inputs.run_generate_snapshot == '' }}
         run: zip -r vulndb.zip diffs-tmp
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v4.0.0
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
           cosign-release: "v2.6.1"
 
@@ -109,13 +111,13 @@ jobs:
           COSIGN_PASSWORD: ""
         run: cosign import-key-pair --key cosign.key && cosign sign-blob --yes --key import-cosign.key vulndb.zip > vulndb.zip.sig
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Setup oras cli
-        uses: oras-project/setup-oras@v1
+        uses: oras-project/setup-oras@22ce207df3b08e061f537244349aac6ae1d214f6 # v1
 
       - name: set the date
         run: echo "date="${{env.DATE}} >> "$GITHUB_ENV"

diff --git a/Dockerfile b/Dockerfile
@@ -13,7 +13,7 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-FROM golang:1.25.5-trixie@sha256:4f9d98ebaa759f776496d850e0439c48948d587b191fc3949b5f5e4667abef90 AS golang-builder
+FROM golang:1.25.6-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS golang-builder
 
 ARG GITHUB_SHA
 ARG GITHUB_REF_NAME

diff --git a/Dockerfile.scanner b/Dockerfile.scanner
@@ -1,4 +1,4 @@
-FROM golang:1.25.5-trixie@sha256:4f9d98ebaa759f776496d850e0439c48948d587b191fc3949b5f5e4667abef90 AS golang-builder
+FROM golang:1.25.6-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS golang-builder
 
 # set the working directory
 WORKDIR /app