Security: Address OpenSSF Scorecard Alerts#17
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 05644f5cad
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -1,4 +1,5 @@ | |||
| FROM gcr.io/oss-fuzz-base/base-builder-rust | |||
| FROM gcr.io/oss-fuzz-base/base-builder-rust@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 2024-11-14 | |||
There was a problem hiding this comment.
The FROM reference pins base-builder-rust as @8e8c483db84b4bee98b60c0593521ed34d9990e8, which is a 40-character Git SHA and not a valid OCI digest format (@sha256:<64-hex>). Docker/BuildKit cannot resolve this image reference, so the ClusterFuzzLite build steps that consume .clusterfuzzlite/Dockerfile will fail before fuzzers are built.
Useful? React with 👍 / 👎.
| contents: read | ||
| security-events: write | ||
| container: | ||
| image: returntocorp/semgrep@sha256:8e8c483db84b4bee98b60c0593521ed34d9990e8 # v1.100.0 |
There was a problem hiding this comment.
The workflow pins the Semgrep container as returntocorp/semgrep@sha256:8e8c483db84b4bee98b60c0593521ed34d9990e8, but a SHA-256 image digest must be 64 hex characters and this value is only 40. GitHub Actions will fail when trying to start the job container, so the Semgrep scan and SARIF upload steps never run.
Useful? React with 👍 / 👎.
1 participant
This PR addresses several security and maintenance alerts: