Skip to content

PCP-6891 : updated go version & packages to fix vulnerabilities#355

Merged
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A-9
Jun 12, 2026
Merged

PCP-6891 : updated go version & packages to fix vulnerabilities#355
anish8808 merged 1 commit into
spectro-release-4.9from
PCP-6891-A-9

PCP-6891 : updated go version & packages to fix vulnerabilities

f953b1e
Select commit
Loading
Failed to load commit list.
Bulwark-SpectroCloud / security-scans/zizmor failed Jun 11, 2026 in 33s

Zizmor scan completed

⚠️ Zizmor found Critical or High severity GitHub Actions workflow security issues:

Summary

Severity Count
High 9
Total 9

Details

Grouped by audit rule and file. Line/column refer to the workflow or action YAML on the scanned branch.

dangerous-triggers — High

use of fundamentally insecure workflow trigger

File: .github/workflows/backport.yaml

Fix guidance: https://docs.zizmor.sh/audits/#dangerous-triggers

Locations:

  • Line 2–4 (cols 0–32) — pull_request_target is almost always used insecurely

unpinned-uses — High

unpinned action reference

File: .github/workflows/backport.yaml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 19 (cols 14–53) — expression sorenlouv/backport-github-action@v9.5.1 — action is not pinned to a hash (required by blanket policy)

template-injection — High

code injection via template expansion

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#template-injection

Locations:

  • Line 32–35 (cols 8–16) — this step
  • Line 34 (cols 44–79) — expression github.event.inputs.release_version — may expand into attacker-controllable code
  • Line 33 (cols 8–11) — this run block

unpinned-uses — High (6 similar finding(s))

unpinned action reference

File: .github/workflows/spectro-release.yaml

Fix guidance: https://docs.zizmor.sh/audits/#unpinned-uses

Locations:

  • Line 27 (cols 14–46) — expression mukunku/tag-exists-action@v1.2.0 — action is not pinned to a hash (required by blanket policy)
  • Line 44 (cols 14–33) — expression actions/checkout@v3 — action is not pinned to a hash (required by blanket policy)
  • Line 47 (cols 14–43) — expression docker/setup-buildx-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 50 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 57 (cols 14–36) — expression docker/login-action@v1 — action is not pinned to a hash (required by blanket policy)
  • Line 89 (cols 14–43) — expression rickstaa/action-create-tag@v1 — action is not pinned to a hash (required by blanket policy)

Please review these findings before merging.

Click 'View more details' to see the workflow run and detailed results in the Bulwark repository.

View more details on Bulwark-SpectroCloud