From ecab7dd62d563e9cbd8e6b446bbe36959d2d6f0b Mon Sep 17 00:00:00 2001 From: Gregor Riepl <140490531+srgoni@users.noreply.github.com> Date: Fri, 16 Aug 2024 18:10:21 +0200 Subject: [PATCH] Plug credential leak in actions/checkout --- .github/workflows/scan.yml | 31 ++++++++++++++++++++----------- 1 file changed, 20 insertions(+), 11 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 9273c93..4f07629 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -29,8 +29,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: go/ - name: run gosec uses: securego/gosec@master @@ -48,22 +49,24 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: go/ - name: run govulncheck uses: golang/govulncheck-action@v1 with: - go-version-input: 1.19.0 - go-package: ./... + go-version-input: 1.19.0 + go-package: ./... # this action doesn't produce a SARIF report yet, so there's nothing to upload. # See: https://github.com/golang/go/issues/61347 tfsec: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: terraform/ - name: run tfsec uses: aquasecurity/tfsec-action@v1.0.0 @@ -81,8 +84,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: python/ - uses: actions/setup-python@v4 with: @@ -110,8 +114,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: terraform/ - name: run chekov uses: bridgecrewio/checkov-action@v12 @@ -129,8 +134,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: bicep/ - name: run chekov uses: bridgecrewio/checkov-action@v12 @@ -150,8 +156,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: go/ - name: codeql init uses: github/codeql-action/init@v2 @@ -172,8 +179,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: python/ - name: codeql init uses: github/codeql-action/init@v2 @@ -194,8 +202,9 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout repo - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: + persist-credentials: false sparse-checkout: python/ - uses: pypa/gh-action-pip-audit@v1.0.0 with: