Conversation
Replaces mutable tag/branch references with immutable SHA hashes to prevent supply chain attacks (ref: TeamPCP/Trivy March 2026). Actions left as tags: 0
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
While this PR correctly identifies the need for SHA pinning to harden the CI/CD pipeline, several critical issues prevent merging. First, the 'if' conditions in the GitHub Action workflows reference non-existent environment variables, which will prevent the Jira integration logic from executing. Second, the interpolation of issue titles directly into YAML strings creates a risk of parsing failures or injection if titles contain special characters.
Furthermore, the actions are being pinned to version 2.0.0, which utilizes the deprecated Node 12 runtime. It is recommended to upgrade to modern versions (e.g., v7 for actions/github-script) while performing this hardening. Finally, please ensure that all commit SHAs are manually verified against the official action repositories, as the automated check for the required SHAs failed.
About this PR
- The PR lacks automated validation (e.g., yamllint) to ensure the manual SHA edits haven't introduced syntax errors. Additionally, as these SHAs were likely generated by a script, they must be manually cross-referenced against the official action repositories to ensure they correspond to the intended versions.
Test suggestions
- Verify 'actions/github-script' is pinned to SHA '6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45' in all workflow steps
- Verify 'atlassian/gajira-login' is pinned to SHA '90a599561baaf8c05b080645ed73db7391c246ed' in all workflow steps
- Verify 'atlassian/gajira-create' is pinned to SHA 'c0a9c69ac9d6aa063fed57201e55336ada860183' in all workflow steps
- Verify 'atlassian/gajira-comment' is pinned to SHA '8ec356b5df49f1325653db7ee2da2b59a1d78203' in the comment_issue workflow
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify 'actions/github-script' is pinned to SHA '6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45' in all workflow steps
2. Verify 'atlassian/gajira-login' is pinned to SHA '90a599561baaf8c05b080645ed73db7391c246ed' in all workflow steps
3. Verify 'atlassian/gajira-create' is pinned to SHA 'c0a9c69ac9d6aa063fed57201e55336ada860183' in all workflow steps
4. Verify 'atlassian/gajira-comment' is pinned to SHA '8ec356b5df49f1325653db7ee2da2b59a1d78203' in the comment_issue workflow
🗒️ Improve review quality by adding custom instructions
| if: env.JIRA_CREATE_ISSUE_AUTO == 'true' | ||
| id: create_jira_issue | ||
| uses: atlassian/gajira-create@v2.0.1 | ||
| uses: atlassian/gajira-create@c0a9c69ac9d6aa063fed57201e55336ada860183 # v2.0.1 |
There was a problem hiding this comment.
🔴 HIGH RISK
The 'summary' input is vulnerable to YAML syntax errors if the issue title contains double quotes. Pass the issue title safely by using a YAML block scalar (>) or by passing it via an environment variable accessed through 'process.env' within the script.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: login | ||
| uses: atlassian/gajira-login@v2.0.0 | ||
| uses: atlassian/gajira-login@90a599561baaf8c05b080645ed73db7391c246ed # v2.0.0 |
There was a problem hiding this comment.
🔴 HIGH RISK
The 'if' condition incorrectly references 'env.GITHUB_ISSUE_TYPE' and 'env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL'. These variables are not defined in the job's global environment and therefore aren't available to the conditional evaluator. Update the 'if' conditions for the 'Jira Login', 'Extract Jira number', and 'Jira Add comment on issue' steps to use 'steps.github_issue_type.outputs.result' and 'steps.github_issue_has_jira_issue_label.outputs.result' instead.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' && env.GITHUB_ISSUE_TYPE == 'issue' && env.GITHUB_ISSUE_HAS_JIRA_ISSUE_LABEL == 'true' | ||
| id: extract_jira_number | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
The script does not handle cases where the Jira issue key is not found in the title, which will lead to a 'TypeError: Cannot read property '1' of null'. Modify the 'Extract Jira number' script to safely check if the regex match exists before attempting to access the captured group.
| if: env.JIRA_CREATE_COMMENT_AUTO == 'true' | ||
| id: github_issue_type | ||
| uses: actions/github-script@v2.0.0 | ||
| uses: actions/github-script@6e5ee1dc1cb3740e5e5e76ad668e3f526edbfe45 # v2.0.0 |
There was a problem hiding this comment.
🟡 MEDIUM RISK
Suggestion: While pinning actions to a SHA hash is a security best practice, you are pinning to legacy versions (v2.0.0) that use the deprecated Node 12 runtime. Additionally, using direct interpolation like ${{ toJson(...) }} inside the script property is risky. It is recommended to upgrade to a modern version (like v7) and pass dynamic data through environment variables instead.
1 participant
Pins all GitHub Actions from mutable tags/branches to immutable SHA hashes.
This prevents supply chain attacks like the TeamPCP/Trivy incident (March 2026), where attackers force-pushed tags to point at malicious commits.
Auto-generated by the Codacy security audit script.