Skip to content

Commit

Permalink
Merge pull request #10 from swisstxt/fix/checkout-leak
Browse files Browse the repository at this point in the history 
Plug credential leak in actions/checkout
  • Loading branch information
@srgoni
srgoni authored Aug 16, 2024
2 parents 5365270 + ecab7dd commit 144fc0e
Showing 1 changed file with 20 additions and 11 deletions.
31 changes: 20 additions & 11 deletions .github/workflows/scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: run gosec
uses: securego/gosec@master
Expand All @@ -48,22 +49,24 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: 1.19.0
go-package: ./...
go-version-input: 1.19.0
go-package: ./...
# this action doesn't produce a SARIF report yet, so there's nothing to upload.
# See: https://github.com/golang/go/issues/61347
tfsec:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: terraform/
- name: run tfsec
uses: aquasecurity/[email protected]
Expand All @@ -81,8 +84,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- uses: actions/setup-python@v4
with:
Expand Down Expand Up @@ -110,8 +114,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: terraform/
- name: run chekov
uses: bridgecrewio/checkov-action@v12
Expand All @@ -129,8 +134,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: bicep/
- name: run chekov
uses: bridgecrewio/checkov-action@v12
Expand All @@ -150,8 +156,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: codeql init
uses: github/codeql-action/init@v2
Expand All @@ -172,8 +179,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- name: codeql init
uses: github/codeql-action/init@v2
Expand All @@ -194,8 +202,9 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- uses: pypa/[email protected]
with:
Expand Down

0 comments on commit 144fc0e

Please sign in to comment.