Security Audit & Fixes for GitHub Actions Workflows

[JocaSantos-dev]

Security Audit Summary

Findings: 46

Automatic Fixes Applied

File	Fixes
.github/workflows/branch.yml	3
.github/workflows/release.yaml	3
.github/workflows/sandbox-deploy.yml	1
.github/workflows/workflow-scanner.yml	1
.github/workflows/vulnerable-workflow.yml	3
.github/workflows/build-and-deploy.yml	4
.github/workflows/main.yml	1

---

Validation: ❌ NEEDS REVIEW

Manual review needed - some issues remain:

📄 .github/workflows/main.yml (click to expand)

• Issue: code injection via template expansion
• Severity: High
• Location: Line 21
• Details: this step
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 31
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

📄 .github/workflows/release.yaml (click to expand)

• Issue: unpinned action reference
• Severity: High
• Location: Line 27
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

📄 .github/workflows/sandbox-deploy.yml (click to expand)

• Issue: code injection via template expansion
• Severity: Informational
• Location: Line 60
• Details: this step
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: code injection via template expansion
• Severity: Informational
• Location: Line 91
• Details: this step
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 36
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 42
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 45
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

📄 .github/workflows/workflow-scanner.yml (click to expand)

• Issue: unpinned action reference
• Severity: High
• Location: Line 22
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 27
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

📄 .github/workflows/branch.yml (click to expand)

• Issue: unpinned action reference
• Severity: High
• Location: Line 27
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 32
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 64
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 72
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 81
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 117
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 125
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 134
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

📄 .github/workflows/build-and-deploy.yml (click to expand)

• Issue: code injection via template expansion
• Severity: Informational
• Location: Line 95
• Details: this step
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: code injection via template expansion
• Severity: Informational
• Location: Line 117
• Details: this step
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 28
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 34
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 50
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 81
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

• Issue: unpinned action reference
• Severity: High
• Location: Line 87
• Details: action is not pinned to a hash (required by blanket policy)
• Manual Fix Needed: Review the TODO comments added in the code changes for suggested fixes.

---

---

External Dependencies Scan

Summary: 140 findings across 4 actions

Action/Repo	Files	Findings
actions/checkout	59	35
actions/setup-go	69	42
anothrNick/github-tag-action	80	38
dagger/dagger-for-github	47	25

📋 Detailed Findings (click to expand)

📦 actions/checkout

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/check-dist.yml

---

• Issue: overly broad permissions
• File: .github/workflows/check-dist.yml
• File: .github/workflows/check-dist.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/codeql-analysis.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/licensed.yml

---

• Issue: overly broad permissions
• File: .github/workflows/licensed.yml
• File: .github/workflows/licensed.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/publish-immutable-actions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: runtime artifacts potentially vulnerable to a cache poisoning attack
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: obfuscated usage of GitHub Actions features
• File: .github/workflows/test.yml

---

• Issue: unpinned image references
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/update-main-version.yml

---

• Issue: overly broad permissions
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml
• File: .github/workflows/update-main-version.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/update-test-ubuntu-git.yml

---

• Issue: unpinned action reference
• File: .github/workflows/update-test-ubuntu-git.yml

---

• Issue: unpinned action reference
• File: .github/workflows/update-test-ubuntu-git.yml

---

📦 actions/setup-go

• Issue: overly broad permissions
• File: .github/workflows/basic-validation.yml
• File: .github/workflows/basic-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/check-dist.yml
• File: .github/workflows/check-dist.yml

---

• Issue: overly broad permissions
• File: .github/workflows/codeql-analysis.yml
• File: .github/workflows/codeql-analysis.yml

---

• Issue: overly broad permissions
• File: .github/workflows/licensed.yml
• File: .github/workflows/licensed.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/publish-immutable-actions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/update-config-files.yml
• File: .github/workflows/update-config-files.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: overly broad permissions
• File: .github/workflows/versions.yml
• File: .github/workflows/versions.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/windows-validation.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/windows-validation.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/windows-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/windows-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: overly broad permissions
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml
• File: .github/workflows/windows-validation.yml

---

📦 anothrNick/github-tag-action

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/lint.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/lint.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/lint.yml

---

• Issue: overly broad permissions
• File: .github/workflows/lint.yml

---

• Issue: overly broad permissions
• File: .github/workflows/lint.yml

---

• Issue: unpinned action reference
• File: .github/workflows/lint.yml

---

• Issue: unpinned action reference
• File: .github/workflows/lint.yml

---

• Issue: unpinned action reference
• File: .github/workflows/lint.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/main.yml

---

• Issue: use of fundamentally insecure workflow trigger
• File: .github/workflows/main.yml

---

• Issue: unpinned action reference
• File: .github/workflows/main.yml

---

• Issue: unpinned action reference
• File: .github/workflows/main.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: unpinned action reference
• File: .github/workflows/test.yml

---

📦 dagger/dagger-for-github

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/publish-immutable-action.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: credential persistence through GitHub Actions artifacts
• File: .github/workflows/test.yml

---

• Issue: overly broad permissions
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml
• File: .github/workflows/test.yml

---

• Issue: code injection via template expansion
• File: .github/workflows/test.yml

---

---

Automated security audit by AI analysis