From e8f43075ac9d45de80404c7d45d1734a887271b2 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Mon, 30 Mar 2026 11:57:29 -0400 Subject: [PATCH] Update workflow actions to latest versions for improved security and functionality --- .github/workflows/CIS-Anchore-Grype.yml | 10 ++-- .github/workflows/CIS-Trivy-AquaSecurity.yml | 8 ++-- .../DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml | 8 ++-- .github/workflows/IACS-AquaSecurity-tfsec.yml | 6 +-- .github/workflows/IACS-Checkmarx-kics.yml | 6 +-- .../IACS-Microsoft-Security-DevOps.yml | 8 ++-- .../MSDO-Microsoft-Security-DevOps.yml | 8 ++-- .github/workflows/SAST-ESLint.yml | 46 +++++++++++++++++++ .../SAST-GitHubAdvancedSecurity-CodeQL.yml | 6 +-- .github/workflows/SAST-Kubesec.yml | 12 ++--- .github/workflows/SCA-Anchore-Syft-SBOM.yml | 4 +- ...itHubAdvancedSecurity-DependencyReview.yml | 4 +- .github/workflows/SCA-Microsoft-SBOM.yml | 8 ++-- .github/workflows/SCA-OpenSSF-Scorecard.yml | 6 +-- .github/workflows/ci.yml | 4 +- .github/workflows/cicd.yml | 14 +++--- .github/workflows/security-agent-workflow.yml | 6 +-- 17 files changed, 105 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/SAST-ESLint.yml diff --git a/.github/workflows/CIS-Anchore-Grype.yml b/.github/workflows/CIS-Anchore-Grype.yml index 33390bb..589069c 100644 --- a/.github/workflows/CIS-Anchore-Grype.yml +++ b/.github/workflows/CIS-Anchore-Grype.yml @@ -30,10 +30,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build an image from Dockerfile - uses: docker/build-push-action@v6 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: context: ./src/webapp01 file: ./src/webapp01/Dockerfile @@ -42,7 +42,7 @@ jobs: load: true - name: Run the Anchore Grype scan action - uses: anchore/scan-action@v6 + uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0 id: scan with: image: "${{ env.imageName }}:${{ env.tag }}" @@ -50,12 +50,12 @@ jobs: severity-cutoff: critical - name: Upload Anchore vulnerability report to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: ${{ steps.scan.outputs.sarif }} - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: alerts path: ${{ steps.scan.outputs.sarif }} \ No newline at end of file diff --git a/.github/workflows/CIS-Trivy-AquaSecurity.yml b/.github/workflows/CIS-Trivy-AquaSecurity.yml index c4e84d3..7db1edb 100644 --- a/.github/workflows/CIS-Trivy-AquaSecurity.yml +++ b/.github/workflows/CIS-Trivy-AquaSecurity.yml @@ -30,27 +30,27 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build an image from Dockerfile run: | docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.32.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: "${{ env.imageName }}:${{ env.tag }}" format: "sarif" output: "trivy-results.sarif" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 if: always() with: sarif_file: "trivy-results.sarif" - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: alerts path: "trivy-results.sarif" diff --git a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml index fbf7156..e6b27d3 100644 --- a/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml +++ b/.github/workflows/DAST-ZAP-Zed-Attach-Proxy-Checkmarx.yml @@ -31,7 +31,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # build and start your application here # conditionally run the build step # assuming the application is a Docker container @@ -47,14 +47,14 @@ jobs: echo "Application is already running." fi - name: Run ZAP Scan - uses: zaproxy/action-full-scan@v0.12.0 + uses: zaproxy/action-full-scan@3c58388149901b9a03b7718852c5ba889646c27c # v0.13.0 id: zap with: allow_issue_writing: false target: "${{ env.ZAP_TARGET }}" artifact_name: "zap-full-scan" - name: ZAP Scan - uses: zaproxy/action-baseline@v0.14.0 + uses: zaproxy/action-baseline@de8ad967d3548d44ef623df22cf95c3b0baf8b25 # v0.15.0 with: allow_issue_writing: false target: "${{ env.ZAP_TARGET }}" @@ -64,6 +64,6 @@ jobs: - uses: githubabcs-devops/zap-to-ghas@main - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: results.sarif \ No newline at end of file diff --git a/.github/workflows/IACS-AquaSecurity-tfsec.yml b/.github/workflows/IACS-AquaSecurity-tfsec.yml index 57102b8..cccde41 100644 --- a/.github/workflows/IACS-AquaSecurity-tfsec.yml +++ b/.github/workflows/IACS-AquaSecurity-tfsec.yml @@ -23,14 +23,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@v0.1.4 + uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 # v0.1.4 with: sarif_file: tfsec.sarif - name: Upload SARIF file to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: tfsec.sarif diff --git a/.github/workflows/IACS-Checkmarx-kics.yml b/.github/workflows/IACS-Checkmarx-kics.yml index 4a0dc83..b900fb0 100644 --- a/.github/workflows/IACS-Checkmarx-kics.yml +++ b/.github/workflows/IACS-Checkmarx-kics.yml @@ -24,14 +24,14 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Mkdir results-dir # make sure results dir is created run: mkdir -p results-dir - name: Run kics Scan - uses: checkmarx/kics-github-action@v2.1.13 + uses: checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # v2.1.20 with: path: 'terraform' # when provided with a directory on output_path @@ -51,6 +51,6 @@ jobs: cat results-dir/results.json - name: Upload SARIF file to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: results-dir/results.sarif diff --git a/.github/workflows/IACS-Microsoft-Security-DevOps.yml b/.github/workflows/IACS-Microsoft-Security-DevOps.yml index 2d97bb5..dd4878c 100644 --- a/.github/workflows/IACS-Microsoft-Security-DevOps.yml +++ b/.github/workflows/IACS-Microsoft-Security-DevOps.yml @@ -40,10 +40,10 @@ jobs: # Windows and Linux agents are supported runs-on: windows-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Microsoft Security DevOps - uses: microsoft/security-devops-action@v1.12.0 + uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 id: msdo with: # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). @@ -54,13 +54,13 @@ jobs: # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: alerts path: ${{ steps.msdo.outputs.sarifFile }} \ No newline at end of file diff --git a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml index ae11b9f..75d3b6a 100644 --- a/.github/workflows/MSDO-Microsoft-Security-DevOps.yml +++ b/.github/workflows/MSDO-Microsoft-Security-DevOps.yml @@ -28,10 +28,10 @@ jobs: # Windows and Linux agents are supported runs-on: windows-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Microsoft Security DevOps - uses: microsoft/security-devops-action@v1.12.0 + uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0 id: msdo with: # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). @@ -42,13 +42,13 @@ jobs: # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: ${{ steps.msdo.outputs.sarifFile }} # Upload alerts file as a workflow artifact - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) - name: Upload alerts file as a workflow artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: alerts path: ${{ steps.msdo.outputs.sarifFile }} \ No newline at end of file diff --git a/.github/workflows/SAST-ESLint.yml b/.github/workflows/SAST-ESLint.yml new file mode 100644 index 0000000..1216d48 --- /dev/null +++ b/.github/workflows/SAST-ESLint.yml @@ -0,0 +1,46 @@ +# ESLint is a tool for identifying and reporting on patterns found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint and https://eslint.org + +name: "SAST - ESLint" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '39 9 * * 4' + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + steps: + - name: Checkout code + uses: actions/checkout@de0fac28217160c9e1c4a3e79f4436864c564dc7 # v6.0.2 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@3.1.0 + + - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@d4b3ca94f14f5cf92f51e5f8efe83e46c6c46ad1 # v4.1.3 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true diff --git a/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml b/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml index 7b5584a..26638f6 100644 --- a/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml +++ b/.github/workflows/SAST-GitHubAdvancedSecurity-CodeQL.yml @@ -48,7 +48,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -58,7 +58,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -86,6 +86,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/SAST-Kubesec.yml b/.github/workflows/SAST-Kubesec.yml index e427816..229b38b 100644 --- a/.github/workflows/SAST-Kubesec.yml +++ b/.github/workflows/SAST-Kubesec.yml @@ -23,10 +23,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run kubesec scanner (critical-double.yaml) - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 # v0.0.2 with: input: manifests/critical-double.yaml # specify configuration file to scan here format: template @@ -52,7 +52,7 @@ jobs: - name: Upload Kubesec scan results to GitHub Security tab if: steps.validate.outputs.valid == 'true' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: kubesec-results.sarif @@ -61,10 +61,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run kubesec scanner (score-5-pod-serviceaccount.yaml) - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 # v0.0.2 with: input: manifests/score-5-pod-serviceaccount.yaml # specify configuration file to scan here format: template @@ -90,6 +90,6 @@ jobs: - name: Upload Kubesec scan results to GitHub Security tab if: steps.validate.outputs.valid == 'true' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: kubesec-results.sarif \ No newline at end of file diff --git a/.github/workflows/SCA-Anchore-Syft-SBOM.yml b/.github/workflows/SCA-Anchore-Syft-SBOM.yml index 7cf2057..084f3a6 100644 --- a/.github/workflows/SCA-Anchore-Syft-SBOM.yml +++ b/.github/workflows/SCA-Anchore-Syft-SBOM.yml @@ -26,13 +26,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build the Docker image run: docker build ./src/webapp01 --file ./src/webapp01/Dockerfile --tag ${{ env.imageName }}:${{ env.tag }} - name: Scan the image and upload dependency results - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c + uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 continue-on-error: true with: image: "${{ env.imageName }}:${{ env.tag }}" diff --git a/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml b/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml index b42bea6..73337c4 100644 --- a/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml +++ b/.github/workflows/SCA-GitHubAdvancedSecurity-DependencyReview.yml @@ -17,9 +17,9 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout repository' - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0 # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. with: comment-summary-in-pr: always diff --git a/.github/workflows/SCA-Microsoft-SBOM.yml b/.github/workflows/SCA-Microsoft-SBOM.yml index 492f80c..00e0304 100644 --- a/.github/workflows/SCA-Microsoft-SBOM.yml +++ b/.github/workflows/SCA-Microsoft-SBOM.yml @@ -19,9 +19,9 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ env.DOTNET_VERSION }} - name: dotnet build @@ -36,11 +36,11 @@ jobs: $RUNNER_TEMP/sbom-tool generate -b ./buildOutput -bc . -pn Test -pv 1.0.0 -ps MyCompany -nsb https://sbom.mycompany.com -V Verbose - name: Upload a Build Artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: path: buildOutput - name: SBOM upload - uses: advanced-security/spdx-dependency-submission-action@v0.1.1 + uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1 with: filePath: "_manifest/spdx_2.2/" \ No newline at end of file diff --git a/.github/workflows/SCA-OpenSSF-Scorecard.yml b/.github/workflows/SCA-OpenSSF-Scorecard.yml index 075e422..bb8927c 100644 --- a/.github/workflows/SCA-OpenSSF-Scorecard.yml +++ b/.github/workflows/SCA-OpenSSF-Scorecard.yml @@ -34,12 +34,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif @@ -73,6 +73,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ecaf0d8..a9900df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,11 +24,11 @@ jobs: steps: # Checkout the repo - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Setup .NET Core SDK - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ env.DOTNET_VERSION }} diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index e4b5711..7803951 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -53,10 +53,10 @@ jobs: webapp_url: ${{ steps.deploy.outputs.webapp_url }} resource_group: ${{ steps.deploy.outputs.resource_group }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Azure Login - uses: azure/login@v2 + uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -158,11 +158,11 @@ jobs: AZURE_WEBAPP_NAME: ${{ needs.deploy-infrastructure.outputs.webapp_name }} steps: # Checkout the repo - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # Setup .NET Core SDK - name: Setup .NET Core - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 with: dotnet-version: ${{ env.DOTNET_VERSION }} @@ -174,7 +174,7 @@ jobs: dotnet publish -c Release --property:PublishDir='bin/publish' ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}${{ env.SRC_PROJECT_PATH }} - name: Azure Login - uses: azure/login@v2 + uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -183,7 +183,7 @@ jobs: # Deploy to Azure Web apps - name: "Run Azure webapp deploy action using publish profile credentials" if: false # This disables the action - uses: azure/webapps-deploy@v3 + uses: azure/webapps-deploy@8db8b8d14f21b245e6706fd0607244e354884697 # v3 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name package: "${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/webapp01/bin/publish" @@ -199,7 +199,7 @@ jobs: docker push ${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:latest - name: Azure Web Apps Deploy - uses: azure/webapps-deploy@v3 + uses: azure/webapps-deploy@8db8b8d14f21b245e6706fd0607244e354884697 # v3 with: app-name: ${{ env.AZURE_WEBAPP_NAME }} images: "${{ env.AZURE_ACR_NAME }}.azurecr.io/webapp01:${{ github.sha }}" diff --git a/.github/workflows/security-agent-workflow.yml b/.github/workflows/security-agent-workflow.yml index 54d6fcf..c9a6051 100644 --- a/.github/workflows/security-agent-workflow.yml +++ b/.github/workflows/security-agent-workflow.yml @@ -15,10 +15,10 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 22 @@ -73,7 +73,7 @@ jobs: - name: Upload security report artifact if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: security-assessment-report-${{ github.run_id }} path: security-reports/security-assessment-report.md