chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 #95
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
bot
requested review from
anoop2811,
bsekar and
sundarok
as code owners
Kusari Analysis Results:Caution Flagged Issues Detected While dependency analysis found no concerning changes or exposed secrets, code analysis identified a critical supply chain security vulnerability. The GitHub Action 'ossf/[email protected]' in .github/workflows/scorecard.yml is not pinned to a commit hash, violating security policy and creating a potential attack vector where the semantic version tag could be moved to point to malicious code. This high-severity issue must be resolved by pinning the action to a specific commit hash before the PR can be safely merged. Note View full detailed analysis result for more information on the output and the checks that were run. Required Code MitigationsThe action reference must be pinned to a specific commit hash instead of using the semantic version tag to comply with security policy and prevent supply chain attacks.
Found this helpful? Give it a 👍 or 👎 reaction! |
![kusari-inspector[bot]](https://avatars.githubusercontent.com/in/1220830?s=60&v=4){kind=small}
|
|
||
| - name: "Run analysis" | ||
| uses: ossf/[email protected].2 | ||
| uses: ossf/[email protected].3 |
There was a problem hiding this comment.
Issue: The action reference must be pinned to a specific commit hash instead of using the semantic version tag to comply with security policy and prevent supply chain attacks.
Recommended Code Changes:
uses: ossf/[email protected]
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
e67858a to
402224b
Compare
|
Kusari PR Analysis rerun based on - 402224b performed at: 2025-10-06T18:18:36Z - link to updated analysis |
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
402224b to
aaee5ef
Compare
|
Kusari PR Analysis rerun based on - aaee5ef performed at: 2025-10-21T17:06:15Z - link to updated analysis |
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
aaee5ef to
234d923
Compare
|
Kusari PR Analysis rerun based on - 234d923 performed at: 2025-10-22T22:15:13Z - link to updated analysis |
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
234d923 to
0a88022
Compare
|
Kusari PR Analysis rerun based on - 0a88022 performed at: 2025-10-28T19:26:24Z - link to updated analysis |
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
0a88022 to
96b094b
Compare
|
Kusari PR Analysis rerun based on - 96b094b performed at: 2025-11-03T23:19:33Z - link to updated analysis |
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.2 to 2.4.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@v2.4.2...v2.4.3) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-version: 2.4.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
force-pushed
the
dependabot/github_actions/ossf/scorecard-action-2.4.3
branch
from
96b094b to
268572f
Compare
|
Kusari PR Analysis rerun based on - 268572f performed at: 2025-11-04T23:47:36Z - link to updated analysis |
Bumps ossf/scorecard-action from 2.4.2 to 2.4.3.
Release notes
Sourced from ossf/scorecard-action's releases.
Commits
4eaacf0bump docker to ghcr v2.4.3 (#1587)42e3a01🌱 Bump the github-actions group with 3 updates (#1585)88c07ac🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)6c690f2Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)92083b5📖 Fix recommended command to test the image in development (#1583)7975ea6🌱 Bump the docker-images group across 1 directory with 2 updates (#1...0d1a743🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)46e6e0c🌱 Bump the github-actions group with 2 updates (#1580)c3f1350🌱 Improve printing options (#1584)43e475b🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Summary by cubic
Update the Scorecard GitHub Action to v2.4.3 in our workflow to pick up Scorecard v5.3.0 and minor fixes. Keeps security checks up to date with no breaking changes expected.
Written for commit 268572f. Summary will update automatically on new commits.