Skip to content

Commit 28319ca

Browse files
anthony-nhsanthony-nhs
committed
Merge remote-tracking branch 'origin/main' into allow_dependabot_vulns
2 parents e1876d7 + 383f3f9 commit 28319ca

9 files changed

Lines changed: 97 additions & 79 deletions

.gitallowed

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,4 @@ self\.token = token
77
token = os\.environ\.get\(\"GH_TOKEN\"\)
88
poetry\.lock
99
\-Dsonar\.token=\"\$SONAR_TOKEN\"
10+
token: "\${{ steps\.generate-token\.outputs\.token }}"

.github/dependabot.yaml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,28 +14,28 @@ updates:
1414
prefix: "Upgrade: [dependabot] - "
1515

1616
###################################
17-
# NPM workspace ##################
17+
# Poetry #########################
1818
###################################
19-
- package-ecosystem: "npm"
19+
- package-ecosystem: "pip"
2020
directory: "/"
2121
schedule:
2222
interval: "weekly"
2323
day: "thursday"
24-
time: "18:00" # UTC
24+
time: "20:00" # UTC
2525
open-pull-requests-limit: 20
2626
versioning-strategy: increase
2727
commit-message:
2828
prefix: "Upgrade: [dependabot] - "
2929

3030
###################################
31-
# Poetry #########################
31+
# NPM workspace ##################
3232
###################################
33-
- package-ecosystem: "pip"
33+
- package-ecosystem: "npm"
3434
directory: "/"
3535
schedule:
3636
interval: "weekly"
3737
day: "thursday"
38-
time: "18:00" # UTC
38+
time: "22:00" # UTC
3939
open-pull-requests-limit: 20
4040
versioning-strategy: increase
4141
commit-message:

.github/workflows/quality-checks-devcontainer.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -410,7 +410,7 @@ jobs:
410410
make cfn-guard-cdk
411411
412412
- name: Download terraform plans
413-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
413+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
414414
with:
415415
pattern: "*_terraform_plan"
416416
path: terraform_plans/

.github/workflows/quality-checks.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -204,7 +204,7 @@ jobs:
204204
cd src
205205
go mod vendor
206206
- name: Check licenses
207-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
207+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
208208
with:
209209
scan-type: "fs"
210210
scan-ref: "."
@@ -247,7 +247,7 @@ jobs:
247247
- name: Run unit tests
248248
run: make test
249249
- name: Generate SBOM
250-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
250+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
251251
with:
252252
scan-type: "fs"
253253
scan-ref: "."
@@ -265,7 +265,7 @@ jobs:
265265
- name: Check python vulnerabilities
266266
if: ${{ always() && steps.check_languages.outputs.uses_poetry == 'true'}}
267267
continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
268-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
268+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
269269
with:
270270
scan-type: "fs"
271271
skip-files: "**/package-lock.json,**/go.mod,**/pom.xml"
@@ -279,7 +279,7 @@ jobs:
279279
- name: Check node vulnerabilities
280280
if: ${{ always() && steps.check_languages.outputs.uses_node == 'true' }}
281281
continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
282-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
282+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
283283
with:
284284
scan-type: "fs"
285285
skip-files: "**/poetry.lock,**/go.mod,**/pom.xml"
@@ -293,7 +293,7 @@ jobs:
293293
- name: Check go vulnerabilities
294294
if: ${{ always() && steps.check_languages.outputs.uses_go == 'true' }}
295295
continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
296-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
296+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
297297
with:
298298
scan-type: "fs"
299299
skip-files: "**/poetry.lock,**/package-lock.json,**/pom.xml"
@@ -306,7 +306,7 @@ jobs:
306306
- name: Check java vulnerabilities
307307
if: ${{ always() && steps.check_languages.outputs.uses_java == 'true' }}
308308
continue-on-error: ${{ github.actor == 'dependabot[bot]' }}
309-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
309+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
310310
with:
311311
scan-type: "fs"
312312
skip-files: "**/poetry.lock,**/package-lock.json,**/go.mod"
@@ -490,7 +490,7 @@ jobs:
490490
make docker-build
491491
492492
- name: Check docker vulnerabilities
493-
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
493+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
494494
with:
495495
scan-type: "image"
496496
image-ref: ${{ matrix.docker_image }}
@@ -664,7 +664,7 @@ jobs:
664664
done
665665
666666
- name: Download terraform plans
667-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
667+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
668668
with:
669669
pattern: "*_terraform_plan"
670670
path: terraform_plans/

.github/workflows/tag-release-devcontainer.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -122,7 +122,7 @@ jobs:
122122
123123
- name: Download extra artifact
124124
if: ${{ inputs.extra_artifact_name != '' }}
125-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
125+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
126126
with:
127127
artifact-ids: ${{ inputs.extra_artifact_id }}
128128
github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/tag-release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ jobs:
190190
next_version_tag: ${{ steps.output_version_tag.outputs.NEXT_VERSION_TAG }}
191191
steps:
192192
- name: Fetch asdf artifact
193-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
193+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
194194
with:
195195
name: asdf_artifact
196196
- name: Install asdf
@@ -234,7 +234,7 @@ jobs:
234234
BRANCH_NAME: ${{ inputs.branch_name }}
235235

236236
- name: Fetch semantic-release config
237-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
237+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
238238
with:
239239
name: config_artifact
240240

@@ -264,7 +264,7 @@ jobs:
264264
265265
- name: Download extra artifact
266266
if: ${{ inputs.extra_artifact_name != '' }}
267-
uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
267+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
268268
with:
269269
artifact-ids: ${{ inputs.extra_artifact_id }}
270270
github-token: ${{ secrets.GITHUB_TOKEN }}

.trivyignore.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,3 +22,6 @@ vulnerabilities:
2222
- id: CVE-2026-29786
2323
statement: tar vulnerability accepted as risk - dependency of npm (multiple)
2424
expired_at: 2026-06-01
25+
- id: CVE-2026-31802
26+
statement: tar vulnerability accepted as risk - dependency of npm (multiple)
27+
expired_at: 2026-06-01

0 commit comments

Comments
 (0)