Skip to content

CM-61023: pin build deps #411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gotbadger wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CM-61023: pin build deps #411

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 8 additions & 8 deletions .github/workflows/build_executable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,10 @@
run:
shell: bash

steps:

Check failure on line 38 in .github/workflows/build_executable.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/build_executable.yml#L38 

GitHub workflows use uncertified CI/CD modules found
- name: Run Cimon
if: matrix.os == 'ubuntu-22.04'
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -50,7 +50,7 @@
uploads.github.com

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

Expand All @@ -61,21 +61,21 @@
git checkout $LATEST_TAG
echo "LATEST_TAG=$LATEST_TAG" >> $GITHUB_ENV

- name: Set up Python 3.13

Check failure on line 64 in .github/workflows/build_executable.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/build_executable.yml#L64 

GitHub workflows use uncertified CI/CD modules found
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.13'

- name: Load cached Poetry setup
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-${{ matrix.os }}-2 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand Down Expand Up @@ -265,14 +265,14 @@
run: echo "ARTIFACT_NAME=$(./process_executable_file.py dist/cycode-cli)" >> $GITHUB_ENV

- name: Upload files as artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: ${{ env.ARTIFACT_NAME }}
path: dist

- name: Verify macOS artifact end-to-end
if: runner.os == 'macOS' && matrix.mode == 'onedir'
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ env.ARTIFACT_NAME }}
path: /tmp/artifact-verify
Expand Down Expand Up @@ -313,7 +313,7 @@

- name: Upload files to release
if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }}
uses: svenstaro/upload-release-action@v2
uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
file: dist/*
tag: ${{ env.LATEST_TAG }}
Expand Down
21 changes: 12 additions & 9 deletions .github/workflows/docker-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,16 @@
push:
tags: [ 'v*.*.*' ]

permissions:
contents: read

jobs:
docker:
runs-on: ubuntu-latest

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

Expand All @@ -28,20 +31,20 @@
git checkout ${{ steps.latest_tag.outputs.LATEST_TAG }}

- name: Set up Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.9'

- name: Load cached Poetry setup

Check failure on line 38 in .github/workflows/docker-image.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/docker-image.yml#L38 

GitHub workflows use uncertified CI/CD modules found
id: cached_poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-ubuntu-1 # increment to reset cache

- name: Setup Poetry
if: steps.cached_poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand All @@ -58,22 +61,22 @@
echo "CLI_VERSION=$(poetry version --short)" >> $GITHUB_OUTPUT

- name: Set up QEMU
uses: docker/setup-qemu-action@v3
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

- name: Login to Docker Hub
if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
uses: docker/login-action@v3
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}

- name: Build and push
id: docker_build
if: ${{ github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') }}
uses: docker/build-push-action@v7
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
platforms: linux/amd64,linux/arm64
Expand All @@ -83,7 +86,7 @@
- name: Verify build
id: docker_verify_build
if: ${{ github.event_name != 'workflow_dispatch' && !startsWith(github.ref, 'refs/tags/v') }}
uses: docker/build-push-action@v7
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
with:
context: .
platforms: linux/amd64,linux/arm64
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/pre_release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@

steps:
- name: Run Cimon
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -28,25 +28,25 @@
*.sigstore.dev

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

- name: Set up Python

Check failure on line 35 in .github/workflows/pre_release.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/pre_release.yml#L35 

GitHub workflows use uncertified CI/CD modules found
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.9'

- name: Load cached Poetry setup
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-ubuntu-1 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand Down Expand Up @@ -74,4 +74,4 @@
run: poetry build

- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
12 changes: 6 additions & 6 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@

steps:
- name: Run Cimon
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -27,25 +27,25 @@
*.sigstore.dev

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0

Check failure on line 35 in .github/workflows/release.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/release.yml#L35 

GitHub workflows use uncertified CI/CD modules found
with:
python-version: '3.9'

- name: Load cached Poetry setup
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-ubuntu-1 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand Down Expand Up @@ -73,4 +73,4 @@
run: poetry build

- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@106e0b0b7c337fa67ed433972f777c6357f78598 # v1.13.0
13 changes: 8 additions & 5 deletions .github/workflows/ruff.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,15 @@

on: [ pull_request, push ]

permissions:
contents: read

jobs:
ruff:
runs-on: ubuntu-latest
steps:
- name: Run Cimon
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -18,24 +21,24 @@
pypi.org

- name: Checkout repository
uses: actions/checkout@v3
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.9

- name: Load cached Poetry setup
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-ubuntu-1 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:

Check failure on line 41 in .github/workflows/ruff.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/ruff.yml#L41 

GitHub workflows use uncertified CI/CD modules found
version: 2.2.1

- name: Add Poetry to PATH
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@

steps:
- name: Run Cimon
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -23,23 +23,23 @@
*.ingest.us.sentry.io

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

- name: Set up Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: '3.9'

- name: Load cached Poetry setup

Check failure on line 33 in .github/workflows/tests.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/tests.yml#L33 

GitHub workflows use uncertified CI/CD modules found
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-ubuntu-1 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/tests_full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
steps:
- name: Run Cimon
if: matrix.os == 'ubuntu-latest'
uses: cycodelabs/cimon-action@v0
uses: cycodelabs/cimon-action@1c3e30d508634b3f4a60b02843126c9f93944d80 # v0.9.4
with:
client-id: ${{ secrets.CIMON_CLIENT_ID }}
secret: ${{ secrets.CIMON_SECRET }}
Expand All @@ -32,29 +32,29 @@
allowed-hosts: >
files.pythonhosted.org
install.python-poetry.org
pypi.org

Check failure on line 35 in .github/workflows/tests_full.yml

View check run for this annotation

Cycode Security / Cycode: CI/CD

.github/workflows/tests_full.yml#L35 

GitHub workflows use uncertified CI/CD modules found
*.ingest.us.sentry.io

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0

- name: Set up Python
uses: actions/setup-python@v6
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}

- name: Load cached Poetry setup
id: cached-poetry
uses: actions/cache@v5
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.local
key: poetry-${{ matrix.os }}-${{ matrix.python-version }}-3 # increment to reset cache

- name: Setup Poetry
if: steps.cached-poetry.outputs.cache-hit != 'true'
uses: snok/install-poetry@v1
uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
Copy link
Contributor

@cycode-security cycode-security bot Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium

Description

Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.

Cycode Remediation Guideline

Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.

Tell us how you wish to proceed using one of the following commands:

Tag Short Description
#cycode_ignore_insecure_pipeline_violation_everywhere <reason> Applies to this resource for this violation for all requests in your repository
#cycode_ignore_insecure_pipeline_violation_here <reason> Applies to this resource for this violation in this request only

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

with:
version: 2.2.1

Expand Down
2 changes: 1 addition & 1 deletion poetry.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.