From 825c6393c95728864f1ab57c59e9184be6cefe1f Mon Sep 17 00:00:00 2001 From: "Brian R. Jackson" Date: Tue, 14 Jul 2026 17:51:27 -0400 Subject: [PATCH] fix(security-container-scan): pin anchore/sbom-action by SHA for GHE allowlist Replace floating @v0 tag with the enterprise-allowlisted commit (e22c389, v0.24.0). Tag refs fail NVIDIA GHE workflow validation even when the resolved SHA is allowlisted, which breaks downstream repos such as infra-controller that consume this composite action. --- .github/actions/security-container-scan/README.md | 2 +- .github/actions/security-container-scan/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/security-container-scan/README.md b/.github/actions/security-container-scan/README.md index 8dda4d4..7a78eac 100644 --- a/.github/actions/security-container-scan/README.md +++ b/.github/actions/security-container-scan/README.md @@ -4,7 +4,7 @@ A composite GitHub Action that generates an SBOM (via Syft) and scans a locally- ## Features -- ✅ SBOM generation with `anchore/sbom-action` (Syft, SPDX-JSON by default) +- ✅ SBOM generation with `anchore/sbom-action` (Syft, SPDX-JSON by default; SHA-pinned for GHE allowlist) - ✅ Vulnerability scan with Anchore Grype (JSON + SARIF outputs) - ✅ Top-N CVE summary written to `$GITHUB_STEP_SUMMARY` - ✅ Reports uploaded as a workflow artifact diff --git a/.github/actions/security-container-scan/action.yml b/.github/actions/security-container-scan/action.yml index 2e2fd2c..c1d68ba 100644 --- a/.github/actions/security-container-scan/action.yml +++ b/.github/actions/security-container-scan/action.yml @@ -117,7 +117,7 @@ runs: id: sbom if: ${{ inputs.generate-sbom == 'true' && steps.precheck.outputs.image_exists == 'true' }} continue-on-error: true - uses: anchore/sbom-action@v0 + uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: image: ${{ inputs.image }} format: ${{ inputs.sbom-format }}