Skip to content

[Aikido] AI Fix for 3rd party Github Actions should be pinned#14

Open
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-sast--6000488-8dhr
Open

[Aikido] AI Fix for 3rd party Github Actions should be pinned#14
aikido-autofix[bot] wants to merge 1 commit into
masterfrom
fix/aikido-security-sast--6000488-8dhr

Conversation

@aikido-autofix

Copy link
Copy Markdown

This patch mitigates potential supply chain attacks in two GitHub Actions workflows by pinning the version of third-party actions to their commit SHA. However, a patch could not be created for the bridgecrewio/yor-action@main and bridgecrewio/checkov-action@master images due to failure in fetching their respective commit SHAs.

Aikido used AI to generate this PR.

High confidence: Aikido has a robust set of benchmarks for similar fixes, and they are proven to be effective.

@aikido-autofix aikido-autofix Bot added bug Something isn't working documentation Improvements or additions to documentation labels Jul 30, 2025
@trag-bot

trag-bot Bot commented Jul 30, 2025

Copy link
Copy Markdown

Pull request summary

  • Updated the version of the semgrep-action in the GitHub Actions workflow from v1 to a specific commit hash 713efdd345f3035192eaa63f56867b88e63e4e5d.
  • Ensured that the workflow uses a fixed version of the action to avoid potential issues with future updates to the v1 tag.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants