diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2df7878..29c279f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -5,9 +5,12 @@ name: "Upload SARIF" on: workflow_dispatch: +permissions: + contents: read + jobs: build: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 permissions: # required for all workflows security-events: write @@ -17,9 +20,9 @@ jobs: steps: # This step checks out a copy of your repository. - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v1 + uses: github/codeql-action/upload-sarif@231aa2c8a89117b126725a0e11897209b7118144 # v1.1.39 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 50d7791..ab1bca8 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -5,13 +5,13 @@ on: [pull_request,workflow_dispatch] jobs: build: - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Checkmarx AST CLI Action - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@dab12e5276a3025532f9723601ec38a4b7a37ed5 # main with: base_uri: ${{ secrets.BASE_URL }} cx_tenant: ${{ secrets.TENANT }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f45615f..d54edfe 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -14,10 +14,13 @@ name: "CodeQL" on: workflow_dispatch: +permissions: + contents: read + jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 permissions: actions: read contents: read @@ -32,11 +35,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -50,7 +53,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -63,4 +66,4 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 diff --git a/.github/workflows/one-scan.yml b/.github/workflows/one-scan.yml index 0da51ad..57414a2 100644 --- a/.github/workflows/one-scan.yml +++ b/.github/workflows/one-scan.yml @@ -11,12 +11,12 @@ on: jobs: cx-scan: name: Checkmarx One Scan - runs-on: ubuntu-latest + runs-on: cx-public-ubuntu-x64 steps: - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@daniel-test + uses: checkmarx/ast-github-action@5d1bb08e8f5c881087053f97047aa320a97234a1 # daniel-test with: base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}