Changes made for openssf fix (#98)

intel · Oct 1, 2024 · 5e2f899 · 5e2f899
1 parent 8ca6df8
commit 5e2f899
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 6 deletions.
diff --git a/.github/workflows/onmergerelease.yml b/.github/workflows/onmergerelease.yml
@@ -8,6 +8,8 @@ on:
     tags:
       - '**'
 
+permissions: read-all
+
 jobs:
   build-test-scan:
     runs-on: [ ubuntu-20.04 ]
@@ -18,15 +20,15 @@ jobs:
       PYTHONPATH: ${{ github.workspace }}:$PYTHONPATH
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
-          
+
       - name: Setup Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: '3.8.10'
-
+          
       - name: Install Poetry
         run: pip install poetry==1.7.1
 

diff --git a/.github/workflows/onpullrequest.yml b/.github/workflows/onpullrequest.yml
@@ -3,6 +3,9 @@ name: OnPullRequest
 on:
   pull_request:
 
+
+permissions: read-all
+
 jobs:
 
   security-file-check:

diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
@@ -1,12 +1,17 @@
 name: "Security Scans"
 on:
   workflow_dispatch:
+
+permissions: read-all
 
 jobs:
     bandit-scan:
         runs-on: [ self-hosted, taas ]
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+              with:
+                fetch-depth: 0
+
             - name: Bandit Scan
               uses: intel-innersource/frameworks.devops.github.actions.bandit@main
               with:
@@ -17,7 +22,7 @@ jobs:
     Checkmarx:
         runs-on: [ self-hosted, taas ]
         steps:
-            - uses: actions/checkout@v3
+            - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
             - name: Scan
               uses: intel-innersource/frameworks.devops.github.actions.checkmarx@main
               with:
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,9 @@ name: OnPullRequest @@
     on:
       pull_request:
+    permissions: read-all
     jobs:
       security-file-check:
@@ Expand Down @@