fix: kics scan digest pin

bsgrigorov · bsgrigorov · commit 92de9a412203 · 2026-04-22T22:49:19.000-07:00
diff --git a/.github/workflows/kics.yml b/.github/workflows/kics.yml
@@ -13,7 +13,7 @@ permissions:
 
 on:
   push:
-    branches: [main]
+    branches: [ main ]
     paths:
       - "**/*.yaml"
       - "**/*.yml"
@@ -22,7 +22,7 @@ on:
       - "**/Dockerfile"
       - ".github/workflows/kics.yml"
   pull_request:
-    branches: [main]
+    branches: [ main ]
     paths:
       - "**/*.yaml"
       - "**/*.yml"
@@ -44,24 +44,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Create results dir
         run: mkdir -p results-dir
 
-      - name: Run KICS scan
-        uses: Checkmarx/kics-github-action@05aa5eb70eede1355220f4ca5238d96b397e30a6 # v2.1.20
+      - name: Run KICS
+        uses: synkube/actions/.github/actions/kics-github-action@main
         with:
-          path: "."
-          output_path: "results-dir"
-          output_formats: "json,sarif"
-          ignore_on_exit: "results"
-          enable_jobs_summary: "true"
+          path: .
+          token: ${{ secrets.GITHUB_TOKEN }}
+          output_path: results-dir/
+          output_formats: json,sarif
+          ignore_on_exit: results
           enable_annotations: "true"
+          enable_comments: "false"
+          enable_jobs_summary: "true"
 
       - name: Upload KICS SARIF
         if: env.ADVANCED_SECURITY == 'true'
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
         continue-on-error: true
         with:
           sarif_file: "results-dir/results.sarif"
@@ -70,7 +72,7 @@ jobs:
 
       - name: Upload KICS results as artifacts
         if: env.ADVANCED_SECURITY == 'true'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: kics-results
           path: results-dir/
diff --git a/.github/workflows/test-and-release.yml b/.github/workflows/test-and-release.yml
@@ -28,7 +28,7 @@ jobs:
       charts: ${{ steps.matrix.outputs.charts }}
       has-changes: ${{ steps.matrix.outputs.has-changes }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -122,10 +122,19 @@ jobs:
         chart: ${{ fromJSON(needs.detect-changes.outputs.charts) }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.53.2
+          YQ_SHA256: d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b
+        run: |
+          set -euo pipefail
+          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /tmp/yq
+          echo "${YQ_SHA256}  /tmp/yq" | sha256sum -c -
+          sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+          yq --version
       - uses: azure/setup-kubectl@776406bce94f63e41d621b960d78ee25c8b76ede # v4.0.1
 
       - name: Update Helm repositories
@@ -169,7 +178,7 @@ jobs:
           helm package . --version ${{ env.CHART_VERSION }}
 
       - name: Upload chart artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: chart-${{ matrix.chart }}-${{ env.CHART_VERSION }}
           path: charts/${{ matrix.chart }}/${{ matrix.chart }}-${{ env.CHART_VERSION }}.tgz
@@ -188,10 +197,19 @@ jobs:
       charts-published: ${{ steps.collect.outputs.charts }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.53.2
+          YQ_SHA256: d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b
+        run: |
+          set -euo pipefail
+          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /tmp/yq
+          echo "${YQ_SHA256}  /tmp/yq" | sha256sum -c -
+          sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+          yq --version
 
       - name: Get chart version
         id: vars
@@ -202,7 +220,7 @@ jobs:
           echo "REPOSITORY=${repository@L}" >> $GITHUB_ENV
 
       - name: Download chart artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: chart-${{ matrix.chart }}-${{ env.CHART_VERSION }}
           path: charts/${{ matrix.chart }}/
@@ -243,12 +261,21 @@ jobs:
       contents: write # Required for chart-releaser to push to gh-pages branch
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
-      - uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4
+      - name: Install yq
+        env:
+          YQ_VERSION: v4.53.2
+          YQ_SHA256: d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b
+        run: |
+          set -euo pipefail
+          curl -fsSL "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64" -o /tmp/yq
+          echo "${YQ_SHA256}  /tmp/yq" | sha256sum -c -
+          sudo install -m 0755 /tmp/yq /usr/local/bin/yq
+          yq --version
 
       - name: Get repository info
         run: |
diff --git a/charts/app-starter/values.yaml b/charts/app-starter/values.yaml
@@ -37,8 +37,7 @@ statefulSet:
 image:
   repository: nginx
   tag: latest
-  # Optional digest (e.g. sha256:...) appended as repository:tag@digest in pod templates.
-  digest: ""
+  digest: sha256:6e23479198b998e5e25921dff8455837c7636a67111a04a635cf1bb363d199dc
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
