Fix docker SHA false positive#18785
Fix docker SHA false positive#18785adityasharad merged 9 commits intogithub:mainfrom martincostello:gh-18782
Conversation
Fix false positives for pinned Docker container images.
There was a problem hiding this comment.
Copilot reviewed 1 out of 3 changed files in this pull request and generated no comments.
Files not reviewed (2)
- actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql: Language not supported
- actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected: Language not supported
Add change note.
Apply code review suggestion. Co-Authored-By: Taus <1104778+tausbn@users.noreply.github.com>
Makes for a neater diff.
adityasharad
left a comment
adityasharad
left a comment
There was a problem hiding this comment.
This looks good - thank you for the contribution! Minor suggestions, and then I'll kick off an internal CI run.
actions/ql/src/change-notes/2025-02-14-docker-false-positives.md
Outdated
Show resolved
Hide resolved
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
|
Ah the check failure is from autoformatting. (If you are doing neither and just editing these directly in the UI, then we can make that change too.) |
Fix lint warning.
|
I can't see what test(s) are failing, but the test I amended is passing for me locally. |
|
Looks like a test for a different query, but that was sharing test data and so is picking up the new test code changes introduced in this PR. Apologies -- for Actions it looks like we don't have a clean separation of our test cases between queries. All other checks look good. Try applying this to @@ -299,7 +299,9 @@
| .github/workflows/test.yml:14:9:25:6 | Run Step | .github/workflows/test.yml:25:9:33:6 | Run Step |
| .github/workflows/test.yml:25:9:33:6 | Run Step | .github/workflows/test.yml:33:9:37:34 | Run Step |
| .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:11:61 | Uses Step |
+| .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
+| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
| .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
| .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
| .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | |
|
Thanks for your help @adityasharad - looks like it's all passing now. |
adityasharad
left a comment
adityasharad
left a comment
There was a problem hiding this comment.
Looks good. Thanks again for taking the time to learn the CodeQL tools and help us improve this new analysis.
3 participants
Fix false positives for pinned Docker container images.
Resolves #18782.