Fix Scorecard SARIF publication#3
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d3fd32ff7d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| --output="scorecard-results.sarif" \ | ||
| --show-details | ||
| - name: Run Scorecard | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 |
There was a problem hiding this comment.
Using a commit SHA here does not pin the code that actually runs: the action metadata at this revision declares image: docker://ghcr.io/ossf/scorecard-action:v2.4.3, so GitHub pulls a mutable container tag on each run. This regresses from the previous CLI download with a checked SHA256, and because the step now has id-token: write and security-events: write, a retagged or compromised image would run with those privileges before SARIF upload; keep the checksum-verified CLI path or invoke a digest-pinned container instead.
Useful? React with 👍 / 👎.
1 participant
Summary