Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions .github/workflows/infrascan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: InfraScan Audit

on:
push:
pull_request:

jobs:
infrascan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
Comment on lines +11 to +12

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Set persist-credentials: false to prevent credential leakage.

The checkout action persists credentials by default, which could be exposed through uploaded artifacts. Since this workflow uploads artifacts, explicitly disable credential persistence.

🔒 Proposed fix to disable credential persistence
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false

As per static analysis hint: "credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false"

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/infrascan.yml around lines 11 - 12, The GitHub Actions
checkout step using actions/checkout@v4 is leaving credentials persisted; update
that step by adding the option persist-credentials: false to the checkout action
(i.e., modify the Checkout code block for uses: actions/checkout@v4 to include
persist-credentials: false) so credentials are not kept and cannot be leaked via
uploaded artifacts.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Pin actions to full commit SHAs for supply chain security.

All three actions use tag references which are mutable and can be rewritten by attackers. Pin to full commit SHAs to protect against supply chain attacks.

🔐 Example fix for SHA pinning
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Apply similar pinning for soldevelo/infrascan@v1.0.6 and actions/upload-artifact@v4. Use full commit SHAs with version comments for maintainability.

As per static analysis hint: "unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)"

Also applies to: 20-20, 27-27

🧰 Tools
🪛 zizmor (1.25.2)

[warning] 11-12: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)


[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/infrascan.yml at line 12, Replace mutable action tags with
immutable commit SHAs for each GitHub Action usage (e.g., the checkout action
reference "actions/checkout@v4", the infrascan action
"soldevelo/infrascan@v1.0.6", and the upload artifact action
"actions/upload-artifact@v4"); find the uses: lines and change them to their
corresponding full commit SHA pins while leaving a trailing comment with the
human-friendly version (e.g., "// actions/checkout@v4") for maintainability so
the workflow uses pinned SHAs and retains version context.


- name: Create Reports Directory
run: |
mkdir -p infrascan-reports
chmod 777 infrascan-reports

- name: Run InfraScan
uses: soldevelo/infrascan@v1.0.6
with:
scanner: comprehensive
format: html
out: infrascan-reports/report.html

- name: Upload InfraScan Report
uses: actions/upload-artifact@v4
if: always() # Upload report even if the scan step fails
with:
name: infrascan-report
path: infrascan-reports/report.html
retention-days: 14