chore: pin GitHub Actions to immutable SHAs#32
Conversation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Reviewed by Cursor Bugbot for commit 8c3cb99. Configure here.
| "ref": "registry+https://github.com/rust-lang/crates.io-index#zmij@1.0.21" | ||
| } | ||
| ] | ||
| } No newline at end of file |
There was a problem hiding this comment.
SBOM file has wrong name, contains Go data
Medium Severity
The file crates/pheno-ffi-go/crates_pheno-ffi-python.json is named "python" but its metadata.component describes pheno-ffi-go with "Go FFI bindings for phenotype-config". Its content is nearly identical to crates/pheno-ffi-go/crates_pheno-ffi-go.json (same component, different UUID/timestamp). Meanwhile, crates/pheno-ffi-python/crates_pheno-ffi-go.json contains actual Python SBOM data. The filenames appear swapped between the two crate directories. Any tooling consuming these SBOMs will get incorrect dependency information.
Reviewed by Cursor Bugbot for commit 8c3cb99. Configure here.
| ], | ||
| "component": { | ||
| "type": "library", | ||
| "bom-ref": "path+file:///Users/kooshapari/CodeProjects/Phenotype/repos/Configra/crates/pheno-ffi-go#0.1.0", |
There was a problem hiding this comment.
SBOM files leak developer local filesystem paths
Low Severity
Both new SBOM files contain absolute local filesystem paths like path+file:///Users/kooshapari/CodeProjects/Phenotype/repos/Configra/... in multiple bom-ref, purl, and ref fields throughout the files. This exposes the developer's username and directory structure in committed artifacts, which is an information disclosure concern — especially notable in a PR focused on improving supply chain security.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 8c3cb99. Configure here.
1 participant
Pin GitHub Actions to immutable SHA references for supply chain security.
🤖 Generated with Claude Code
Note
Medium Risk
Mostly CI/workflow hardening by pinning
actions/checkout, but it also adds large generated SBOM JSON files that embed absolute local file paths, which could create noise or unintended info exposure if published/used downstream.Overview
Pins GitHub Actions checkout to an immutable commit SHA (
actions/checkout@b4ffde…/ v4.1.1) across all workflows to reduce supply-chain risk.Adds generated CycloneDX SBOM outputs for
crates/pheno-ffi-go(crates_pheno-ffi-go.jsonandcrates_pheno-ffi-python.json), introducing large tracked artifacts that enumerate dependencies and include build metadata (e.g., target triple and file URLs).Reviewed by Cursor Bugbot for commit 8c3cb99. Bugbot is set up for automated code reviews on this repo. Configure here.