KICS Static Analysis Report
This report provides an automated security analysis for the project's Infrastructure as Code (IaC).
Scan Summary
-
Files Scanned --- 4
-
Lines Scanned --- 788
-
Scan Duration ---
12.0s
Vulnerability Overview
Action Required: 1 Issues Found
The scan identified security misconfigurations. Please review the breakdown:
-
Critical/High --- 0
-
Medium --- 0
-
Low --- 1
-
Info --- 0
Detailed Findings
LOW: Unpinned Actions Full Length Commit Sha
Description:
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.
Evidence:
| File | Line | Category |
| :--- | :--- | :--- |
| .github/workflows/build.yml | 330 | Supply-Chain |