chore: update pre-commit.yml #42
owlleg6kics_sec_scan.yml
on: pull_request
Run security KICS scaner
41s
Annotations
11 warnings
|
Run security KICS scaner
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v3. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/documentation.yml#L17
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/release.yml#L28
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/pr-validate.yml#L15
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Unpinned Actions Full Length Commit SHA:
.github/workflows/kics_sec_scan.yml#L18
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
|
|
[LOW] Databricks Group Without User Or Instance Profile:
iam.tf#L8
Databricks Group should have at least one user or one instance profile associated
|
|
[LOW] Check use no LTS Spark Version:
cluster.tf#L18
Spark Version is not a Long-term Support
|
|
[HIGH] Unrestricted Databricks ACL:
main.tf#L8
ACL allow ingress from 0.0.0.0/0 and/or ::/0
|
|
[HIGH] Passwords And Secrets - Generic Secret:
secrets.tf#L12
Query to find passwords and secrets in infrastructure code.
|
|
[HIGH] Passwords And Secrets - Generic Secret:
mount.tf#L17
Query to find passwords and secrets in infrastructure code.
|
|
[HIGH] Passwords And Secrets - Generic Secret:
secrets.tf#L13
Query to find passwords and secrets in infrastructure code.
|