Skip to content

Commit 08a4125

Browse files
committed
fix: address security vulnerabilities in CodeQL workflow
- Add workflow-level permissions to fix unspecified permissions issue - Pin GitHub Actions to specific SHA versions for security: - actions/checkout@v4.2.2 (SHA: 11bd71901bbe5b1630ceea73d27597364c9af683) - github/codeql-action@v3.29.2 (SHA: 181d5eefc20863364f96762470ba6f862bdef56b) Fixes the 3 high-severity code vulnerabilities identified by static analysis.
1 parent 71f8996 commit 08a4125

1 file changed

Lines changed: 9 additions & 3 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,12 @@
1111
#
1212
name: "CodeQL Advanced"
1313

14+
permissions:
15+
contents: read
16+
security-events: write
17+
actions: read
18+
packages: read
19+
1420
on:
1521
push:
1622
branches: [ "main" ]
@@ -63,7 +69,7 @@ jobs:
6369
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
6470
steps:
6571
- name: Checkout repository
66-
uses: actions/checkout@v4
72+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6773

6874
# Add any setup steps before running the `github/codeql-action/init` action.
6975
# This includes steps like installing compilers or runtimes (`actions/setup-node`
@@ -73,7 +79,7 @@ jobs:
7379

7480
# Initializes the CodeQL tools for scanning.
7581
- name: Initialize CodeQL
76-
uses: github/codeql-action/init@v3
82+
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
7783
with:
7884
languages: ${{ matrix.language }}
7985
build-mode: ${{ matrix.build-mode }}
@@ -101,6 +107,6 @@ jobs:
101107
exit 1
102108
103109
- name: Perform CodeQL Analysis
104-
uses: github/codeql-action/analyze@v3
110+
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
105111
with:
106112
category: "/language:${{matrix.language}}"

0 commit comments

Comments
 (0)