Skip to content

PCP-6891 : updated go version & packages to fix vulnerabilities#22

Merged
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A
Jun 12, 2026
Merged

PCP-6891 : updated go version & packages to fix vulnerabilities#22
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A

Conversation

@anish8808

@anish8808 anish8808 commented Jun 11, 2026

Copy link
Copy Markdown

PCP-6891 : updated go version & packages to fix vulnerabilities

@anish8808 anish8808 requested a review from vishu2498 June 11, 2026 12:00
@anish8808 anish8808 self-assigned this Jun 11, 2026
bulwark-spectrocloud[bot]
bulwark-spectrocloud Bot requested changes Jun 11, 2026
View reviewed changes

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Zizmor found Critical or High severity GitHub Actions workflow security issues:

Summary

Severity Count
High 11
Total 11

Details

Grouped by audit rule and file. Line/column refer to the workflow or action YAML on the scanned branch.

unpinned-uses — High (3 similar finding(s))

unpinned action reference

File: .github/workflows/go-coverage.yml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 13 (cols 14–33) — expression actions/checkout@v4 — action is not pinned to a hash (required by blanket policy)
  • Line 14 (cols 14–33) — expression actions/setup-go@v5 — action is not pinned to a hash (required by blanket policy)
  • Line 20 (cols 14–43) — expression codecov/codecov-action@v5.4.0 — action is not pinned to a hash (required by blanket policy)

cache-poisoning — High

runtime artifacts potentially vulnerable to a cache poisoning attack

File: .github/workflows/go-coverage.yml

Fix guidance: https://docs.zizmor.sh/audits/#cache-poisoning

Locations:

  • Line 1–7 (cols 0–15) — generally used when publishing artifacts generated at runtime
  • Line 14 (cols 8–33) — enables caching by default
  • Line 14–16 (cols 8–26) — this step

template-injection — High

code injection via template expansion

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#template-injection

Locations:

  • Line 28–31 (cols 8–16) — this step
  • Line 30 (cols 44–79) — expression github.event.inputs.release_version — may expand into attacker-controllable code
  • Line 29 (cols 8–11) — this run block

unpinned-uses — High (6 similar finding(s))

unpinned action reference

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 24 (cols 14–46) — expression mukunku/tag-exists-action@v1.2.0 — action is not pinned to a hash (required by blanket policy)
  • Line 36 (cols 14–33) — expression actions/checkout@v3 — action is not pinned to a hash (required by blanket policy)
  • Line 38 (cols 14–43) — expression docker/setup-buildx-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 40 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 46 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 71 (cols 14–39) — expression actions/create-release@v1 — action is not pinned to a hash (required by blanket policy)

Please review these findings before merging.

@anish8808 anish8808 merged commit 59789d6 into spectro-release-4.9 Jun 12, 2026
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes

@vishu2498 vishu2498 vishu2498 approved these changes

Assignees

@anish8808 anish8808

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anish8808 @vishu2498