Skip to content

PCP-6891 : updated go version & packages to fix vulnerabilities#355

Merged
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A-9
Jun 12, 2026
Merged

PCP-6891 : updated go version & packages to fix vulnerabilities#355
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A-9

Conversation

@anish8808

@anish8808 anish8808 commented Jun 11, 2026

Copy link
Copy Markdown

PCP-6891 : updated go version & packages to fix vulnerabilities

@anish8808 anish8808 requested a review from vishu2498 June 11, 2026 14:49
@anish8808 anish8808 self-assigned this Jun 11, 2026
bulwark-spectrocloud[bot]
bulwark-spectrocloud Bot requested changes Jun 11, 2026
View reviewed changes

@bulwark-spectrocloud bulwark-spectrocloud Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Zizmor found Critical or High severity GitHub Actions workflow security issues:

Summary

Severity Count
High 9
Total 9

Details

Grouped by audit rule and file. Line/column refer to the workflow or action YAML on the scanned branch.

dangerous-triggers — High

use of fundamentally insecure workflow trigger

File: .github/workflows/backport.yaml

Fix guidance: https://docs.zizmor.sh/audits/#dangerous-triggers

Locations:

  • Line 2–4 (cols 0–32) — pull_request_target is almost always used insecurely

unpinned-uses — High

unpinned action reference

File: .github/workflows/backport.yaml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 19 (cols 14–53) — expression sorenlouv/backport-github-action@v9.5.1 — action is not pinned to a hash (required by blanket policy)

template-injection — High

code injection via template expansion

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#template-injection

Locations:

  • Line 32–35 (cols 8–16) — this step
  • Line 34 (cols 44–79) — expression github.event.inputs.release_version — may expand into attacker-controllable code
  • Line 33 (cols 8–11) — this run block

unpinned-uses — High (6 similar finding(s))

unpinned action reference

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 27 (cols 14–46) — expression mukunku/tag-exists-action@v1.2.0 — action is not pinned to a hash (required by blanket policy)
  • Line 44 (cols 14–33) — expression actions/checkout@v3 — action is not pinned to a hash (required by blanket policy)
  • Line 47 (cols 14–43) — expression docker/setup-buildx-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 50 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 57 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 89 (cols 14–43) — expression rickstaa/action-create-tag@v1 — action is not pinned to a hash (required by blanket policy)

Please review these findings before merging.

@anish8808 anish8808 merged commit 86641c6 into spectro-release-4.9 Jun 12, 2026
4 of 5 checks passed
@anish8808 anish8808 deleted the PCP-6891-A-9 branch June 12, 2026 06:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bulwark-spectrocloud bulwark-spectrocloud[bot] bulwark-spectrocloud[bot] requested changes
@vishu2498 vishu2498 vishu2498 approved these changes

Assignees

@anish8808 anish8808

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anish8808 @vishu2498