diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 96b29b7..5253a6a 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -33,7 +33,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: persist-credentials: false @@ -68,6 +68,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: sarif_file: results.sarif diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml index d0ddfe9..244418b 100644 --- a/.github/workflows/standard-build.yaml +++ b/.github/workflows/standard-build.yaml @@ -209,7 +209,7 @@ jobs: docker system df - name: Save Trivy vulnerability attestation - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 if: ${{ inputs.enable-trivy-scan }} with: image-ref: ${{ fromJson(steps.image_meta.outputs.json).tags[0] }} @@ -226,7 +226,7 @@ jobs: trivy-vuln-attestation.json - name: Run Trivy vulnerability scanner for GitHub Security tab - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 if: ${{ github.event_name != 'pull_request' && inputs.enable-trivy-scan }} with: image-ref: ${{ fromJson(steps.image_meta.outputs.json).tags[0] }} @@ -235,7 +235,7 @@ jobs: output: "trivy-results.sarif" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 if: ${{ github.event_name != 'pull_request' && inputs.enable-trivy-scan }} with: sarif_file: "trivy-results.sarif" @@ -246,7 +246,7 @@ jobs: curl -o trivy-pr-report.md.tpl https://raw.githubusercontent.com/miracum/.github/master/.github/trivy-pr-report.md.tpl - name: Run Trivy vulnerability scanner for PR comment - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 if: ${{ github.event_name == 'pull_request' && inputs.enable-trivy-scan }} with: image-ref: ${{ fromJson(steps.image_meta.outputs.json).tags[0] }} diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index d00c1ba..f968ca8 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -111,7 +111,7 @@ jobs: - name: Checkout Code uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Validate Gradle Wrapper - uses: gradle/actions/wrapper-validation@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 + uses: gradle/actions/wrapper-validation@dbbdc275be76ac10734476cc723d82dfe7ec6eda # v3.4.2 base-image-signature-verification: name: verify Dockerfile base image signature @@ -166,7 +166,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/init@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -179,7 +179,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/autobuild@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -192,6 +192,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/analyze@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/standard-schedule.yaml b/.github/workflows/standard-schedule.yaml index 075863b..5e38b00 100644 --- a/.github/workflows/standard-schedule.yaml +++ b/.github/workflows/standard-schedule.yaml @@ -72,7 +72,7 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results steps: - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0 + uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 with: image-ref: "${{ matrix.image }}" format: "template" @@ -81,6 +81,6 @@ jobs: severity: "CRITICAL,HIGH" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10 with: sarif_file: "trivy-results.sarif"