Skip to content

ci: add super-linter (soft launch)#18

Open
LukeEvansTech wants to merge 7 commits into
mainfrom
chore/add-super-linter
Open

ci: add super-linter (soft launch)#18
LukeEvansTech wants to merge 7 commits into
mainfrom
chore/add-super-linter

Conversation

@LukeEvansTech
Copy link
Copy Markdown
Owner

@LukeEvansTech LukeEvansTech commented May 3, 2026

Adds soft-launched super-linter via the shared reusable workflow at LukeEvansTech/shared-workflows@v1. Lint findings appear in the workflow step summary and as a PR comment; failures do not block merges. See https://github.com/LukeEvansTech/shared-workflows/blob/main/docs/spec.md.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 3, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Fail ❌
BIOME_LINT Pass ✅
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Fail ❌
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT 
Checked 1 file in 8ms. No fixes applied.
Found 1 error..markdownlint.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"default":·true,
     3    │ - ··"MD013":·{
     4    │ - ····"line_length":·150,
     5    │ - ····"code_blocks":·false,
     6    │ - ····"tables":·false
     7    │ - ··},
     8    │ - ··"MD024":·{
     9    │ - ····"siblings_only":·true
    10    │ - ··},
    11    │ - ··"MD033":·{
    12    │ - ····"allowed_elements":·["br",·"img",·"a",·"details",·"summary",·"sup",·"sub"]
    13    │ - ··},
    14    │ - ··"MD041":·false,
    15    │ - ··"MD046":·{
    16    │ - ····"style":·"fenced"
    17    │ - ··}
        2 │ + → "default":·true,
        3 │ + → "MD013":·{
        4 │ + → → "line_length":·150,
        5 │ + → → "code_blocks":·false,
        6 │ + → → "tables":·false
        7 │ + → },
        8 │ + → "MD024":·{
        9 │ + → → "siblings_only":·true
       10 │ + → },
       11 │ + → "MD033":·{
       12 │ + → → "allowed_elements":·["br",·"img",·"a",·"details",·"summary",·"sup",·"sub"]
       13 │ + → },
       14 │ + → "MD041":·false,
       15 │ + → "MD046":·{
       16 │ + → → "style":·"fenced"
       17 │ + → }
    18 18 │   }
    19 19 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.
CHECKOV 
dockerfile scan results:

Passed checks: 469, Failed checks: 4, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/supermicro-ipmi-cert/Dockerfile.
	File: /apps/supermicro-ipmi-cert/Dockerfile:1-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/onyx-deployer/Dockerfile.
	File: /apps/onyx-deployer/Dockerfile:1-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/apc-deployer/Dockerfile.
	File: /apps/apc-deployer/Dockerfile:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/brother-deployer/Dockerfile.
	File: /apps/brother-deployer/Dockerfile:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM alpine:3.22 AS builder
		2  |
		3  | ARG KUBECTL_VERSION=v1.32.0
		4  | ARG BROTHER_CERT_VERSION=v0.3.0
		5  | ARG TARGETARCH=amd64
		6  |
		7  | WORKDIR /downloads
		8  |
		9  | # Download kubectl
		10 | RUN wget -q -O kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
		11 |     chmod +x kubectl
		12 |
		13 | # Download brother-cert
		14 | RUN wget -q "https://github.com/gregtwallace/brother-cert/releases/download/${BROTHER_CERT_VERSION}/brother-cert-${BROTHER_CERT_VERSION}_linux_${TARGETARCH}.tar.gz" && \
		15 |     tar -xzf brother-cert-*.tar.gz && \
		16 |     chmod +x brother-cert
		17 |
		18 | # Final runtime image
		19 | FROM alpine:3.22
		20 |
		21 | LABEL org.opencontainers.image.source="https://github.com/LukeEvansTech/containers"
		22 | LABEL org.opencontainers.image.description="Brother Printer Certificate Deployment Tool for Cert Warden"
		23 | LABEL org.opencontainers.image.licenses="GPL-2.0"
		24 |
		25 | # Install runtime dependencies
		26 | RUN apk add --no-cache \
		27 |     ca-certificates \
		28 |     && rm -rf /var/cache/apk/*
		29 |
		30 | # Copy binaries from builder
		31 | COPY --from=builder /downloads/kubectl /usr/local/bin/kubectl
		32 | COPY --from=builder /downloads/brother-cert /usr/local/bin/brother-cert
		33 |
		34 | # Create app directory and set permissions for nobody user (65534:65534)
		35 | RUN mkdir -p /app && \
		36 |     chown -R nobody:nobody /app
		37 |
		38 | # Switch to non-root nobody user
		39 | USER nobody
		40 |
		41 | WORKDIR /app
		42 |
		43 | # Verify installations
		44 | RUN kubectl version --client && \
		45 |     brother-cert --version || echo "brother-cert installed"
		46 |
		47 | # Default command
		48 | CMD ["/bin/sh"]
github_actions scan results:

Passed checks: 8, Failed checks: 0, Skipped checks: 0
GITHUB_ACTIONS_ZIZMOR 
�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/lint.yml:16:11
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m     uses: LukeEvansTech/shared-workflows/.github/workflows/super-linter.yml@v1
   �[1m�[94m|�[0m           �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[32m4�[39m findings (�[1m�[93m3�[39m suppressed, �[92m1�[39m fixable�[0m): �[35m0�[39m informational, �[36m0�[39m low, �[33m0�[39m medium, �[31m1�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
JSCPD 
Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

 261 │ 212 │ from OpenSSL import crypto as c
 262 │ 213 │
 263 │ 214 │         with open(pem_file, "rb") as fh:
 264 │ 215 │             cert = c.load_certificate(c.FILETYPE_PEM, fh.read())
 265 │ 216 │         return datetime.strptime(cert.get_notAfter().decode("utf8"), "%Y%m%d%H%M%SZ")
 266 │ 217 │     except

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

 309 │ 236 │ )
 310 │ 237 │     parser.add_argument("--quiet", action="store_true", help="Minimal output")
 311 │ 238 │     parser.add_argument("--debug", action="store_true", help="Enable debug logging")
 312 │ 239 │
 313 │ 240 │     args = parser.parse_args()
 314 │ 241 │
 315 │ 242 │     # Validate files exist
 316 │ 243 │     if not os.path.isfile(args.key_file):
 317 │ 244 │         print(f"ERROR: --key-file '{args.key_file}' doesn't exist!")
 318 │ 245 │         sys

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

 17 │ 20 │ ash
 18 │ 21 │ docker build -t ghcr.io/lukevanstech/onyx-deployer:latest .
 19 │ 22 │ docker push ghcr.io/lukevanstech/onyx-deployer:latest
 20 │ 23 │ ```
 21 │ 24 │
 22 │ 25 │ ### 2. Configure in Cert Warden
 23 │ 26 │
 24 │ 27 │ In Cert Warden's certificate post-processing settings, configure the container with these environment variables:
 25 │ 28 │
 26 │ 29 │ | Variable | Required | Description | Example |
 27 │ 30 │ |----------|----------|-------------|---------|
 28 │ 31 │ | `CERTIFICATE_PEM` | Yes | Certif

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
TRIVY 

Report Summary

┌──────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│                Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/apc-deployer/Dockerfile         │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/brother-deployer/Dockerfile     │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/onyx-deployer/Dockerfile        │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/supermicro-ipmi-cert/Dockerfile │ dockerfile │        -        │         1         │    -    │
└──────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


apps/apc-deployer/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/brother-deployer/Dockerfile (dockerfile)
=============================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/onyx-deployer/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/supermicro-ipmi-cert/Dockerfile (dockerfile)
=================================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────

@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from af091ce to e87cdf1 Compare May 3, 2026 22:30
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 3, 2026

Super-linter summary

Language Validation result
BIOME_FORMAT Fail ❌
BIOME_LINT Pass ✅
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Fail ❌
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT 
Checked 1 file in 4ms. No fixes applied.
Found 1 error..markdownlint.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"default":·true,
     3    │ - ··"MD013":·{
     4    │ - ····"line_length":·150,
     5    │ - ····"code_blocks":·false,
     6    │ - ····"tables":·false
     7    │ - ··},
     8    │ - ··"MD024":·{
     9    │ - ····"siblings_only":·true
    10    │ - ··},
    11    │ - ··"MD033":·{
    12    │ - ····"allowed_elements":·["br",·"img",·"a",·"details",·"summary",·"sup",·"sub"]
    13    │ - ··},
    14    │ - ··"MD041":·false,
    15    │ - ··"MD046":·{
    16    │ - ····"style":·"fenced"
    17    │ - ··}
        2 │ + → "default":·true,
        3 │ + → "MD013":·{
        4 │ + → → "line_length":·150,
        5 │ + → → "code_blocks":·false,
        6 │ + → → "tables":·false
        7 │ + → },
        8 │ + → "MD024":·{
        9 │ + → → "siblings_only":·true
       10 │ + → },
       11 │ + → "MD033":·{
       12 │ + → → "allowed_elements":·["br",·"img",·"a",·"details",·"summary",·"sup",·"sub"]
       13 │ + → },
       14 │ + → "MD041":·false,
       15 │ + → "MD046":·{
       16 │ + → → "style":·"fenced"
       17 │ + → }
    18 18 │   }
    19 19 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.
CHECKOV 
dockerfile scan results:

Passed checks: 469, Failed checks: 4, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/brother-deployer/Dockerfile.
	File: /apps/brother-deployer/Dockerfile:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM alpine:3.22 AS builder
		2  |
		3  | ARG KUBECTL_VERSION=v1.32.0
		4  | ARG BROTHER_CERT_VERSION=v0.3.0
		5  | ARG TARGETARCH=amd64
		6  |
		7  | WORKDIR /downloads
		8  |
		9  | # Download kubectl
		10 | RUN wget -q -O kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
		11 |     chmod +x kubectl
		12 |
		13 | # Download brother-cert
		14 | RUN wget -q "https://github.com/gregtwallace/brother-cert/releases/download/${BROTHER_CERT_VERSION}/brother-cert-${BROTHER_CERT_VERSION}_linux_${TARGETARCH}.tar.gz" && \
		15 |     tar -xzf brother-cert-*.tar.gz && \
		16 |     chmod +x brother-cert
		17 |
		18 | # Final runtime image
		19 | FROM alpine:3.22
		20 |
		21 | LABEL org.opencontainers.image.source="https://github.com/LukeEvansTech/containers"
		22 | LABEL org.opencontainers.image.description="Brother Printer Certificate Deployment Tool for Cert Warden"
		23 | LABEL org.opencontainers.image.licenses="GPL-2.0"
		24 |
		25 | # Install runtime dependencies
		26 | RUN apk add --no-cache \
		27 |     ca-certificates \
		28 |     && rm -rf /var/cache/apk/*
		29 |
		30 | # Copy binaries from builder
		31 | COPY --from=builder /downloads/kubectl /usr/local/bin/kubectl
		32 | COPY --from=builder /downloads/brother-cert /usr/local/bin/brother-cert
		33 |
		34 | # Create app directory and set permissions for nobody user (65534:65534)
		35 | RUN mkdir -p /app && \
		36 |     chown -R nobody:nobody /app
		37 |
		38 | # Switch to non-root nobody user
		39 | USER nobody
		40 |
		41 | WORKDIR /app
		42 |
		43 | # Verify installations
		44 | RUN kubectl version --client && \
		45 |     brother-cert --version || echo "brother-cert installed"
		46 |
		47 | # Default command
		48 | CMD ["/bin/sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/supermicro-ipmi-cert/Dockerfile.
	File: /apps/supermicro-ipmi-cert/Dockerfile:1-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/onyx-deployer/Dockerfile.
	File: /apps/onyx-deployer/Dockerfile:1-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/apc-deployer/Dockerfile.
	File: /apps/apc-deployer/Dockerfile:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 8, Failed checks: 0, Skipped checks: 0
JSCPD 
Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

 261 │ 212 │ from OpenSSL import crypto as c
 262 │ 213 │
 263 │ 214 │         with open(pem_file, "rb") as fh:
 264 │ 215 │             cert = c.load_certificate(c.FILETYPE_PEM, fh.read())
 265 │ 216 │         return datetime.strptime(cert.get_notAfter().decode("utf8"), "%Y%m%d%H%M%SZ")
 266 │ 217 │     except

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

 309 │ 236 │ )
 310 │ 237 │     parser.add_argument("--quiet", action="store_true", help="Minimal output")
 311 │ 238 │     parser.add_argument("--debug", action="store_true", help="Enable debug logging")
 312 │ 239 │
 313 │ 240 │     args = parser.parse_args()
 314 │ 241 │
 315 │ 242 │     # Validate files exist
 316 │ 243 │     if not os.path.isfile(args.key_file):
 317 │ 244 │         print(f"ERROR: --key-file '{args.key_file}' doesn't exist!")
 318 │ 245 │         sys

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

 17 │ 20 │ ash
 18 │ 21 │ docker build -t ghcr.io/lukevanstech/onyx-deployer:latest .
 19 │ 22 │ docker push ghcr.io/lukevanstech/onyx-deployer:latest
 20 │ 23 │ ```
 21 │ 24 │
 22 │ 25 │ ### 2. Configure in Cert Warden
 23 │ 26 │
 24 │ 27 │ In Cert Warden's certificate post-processing settings, configure the container with these environment variables:
 25 │ 28 │
 26 │ 29 │ | Variable | Required | Description | Example |
 27 │ 30 │ |----------|----------|-------------|---------|
 28 │ 31 │ | `CERTIFICATE_PEM` | Yes | Certif

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
TRIVY 

Report Summary

┌──────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│                Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/apc-deployer/Dockerfile         │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/brother-deployer/Dockerfile     │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/onyx-deployer/Dockerfile        │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/supermicro-ipmi-cert/Dockerfile │ dockerfile │        -        │         1         │    -    │
└──────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


apps/apc-deployer/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/brother-deployer/Dockerfile (dockerfile)
=============================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/onyx-deployer/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/supermicro-ipmi-cert/Dockerfile (dockerfile)
=================================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────

@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from e87cdf1 to 38f20d9 Compare May 4, 2026 17:56
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Fail ❌
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

CHECKOV 
dockerfile scan results:

Passed checks: 469, Failed checks: 4, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/brother-deployer/Dockerfile.
	File: /apps/brother-deployer/Dockerfile:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM alpine:3.22 AS builder
		2  |
		3  | ARG KUBECTL_VERSION=v1.32.0
		4  | ARG BROTHER_CERT_VERSION=v0.3.0
		5  | ARG TARGETARCH=amd64
		6  |
		7  | WORKDIR /downloads
		8  |
		9  | # Download kubectl
		10 | RUN wget -q -O kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
		11 |     chmod +x kubectl
		12 |
		13 | # Download brother-cert
		14 | RUN wget -q "https://github.com/gregtwallace/brother-cert/releases/download/${BROTHER_CERT_VERSION}/brother-cert-${BROTHER_CERT_VERSION}_linux_${TARGETARCH}.tar.gz" && \
		15 |     tar -xzf brother-cert-*.tar.gz && \
		16 |     chmod +x brother-cert
		17 |
		18 | # Final runtime image
		19 | FROM alpine:3.22
		20 |
		21 | LABEL org.opencontainers.image.source="https://github.com/LukeEvansTech/containers"
		22 | LABEL org.opencontainers.image.description="Brother Printer Certificate Deployment Tool for Cert Warden"
		23 | LABEL org.opencontainers.image.licenses="GPL-2.0"
		24 |
		25 | # Install runtime dependencies
		26 | RUN apk add --no-cache \
		27 |     ca-certificates \
		28 |     && rm -rf /var/cache/apk/*
		29 |
		30 | # Copy binaries from builder
		31 | COPY --from=builder /downloads/kubectl /usr/local/bin/kubectl
		32 | COPY --from=builder /downloads/brother-cert /usr/local/bin/brother-cert
		33 |
		34 | # Create app directory and set permissions for nobody user (65534:65534)
		35 | RUN mkdir -p /app && \
		36 |     chown -R nobody:nobody /app
		37 |
		38 | # Switch to non-root nobody user
		39 | USER nobody
		40 |
		41 | WORKDIR /app
		42 |
		43 | # Verify installations
		44 | RUN kubectl version --client && \
		45 |     brother-cert --version || echo "brother-cert installed"
		46 |
		47 | # Default command
		48 | CMD ["/bin/sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/supermicro-ipmi-cert/Dockerfile.
	File: /apps/supermicro-ipmi-cert/Dockerfile:1-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/apc-deployer/Dockerfile.
	File: /apps/apc-deployer/Dockerfile:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/onyx-deployer/Dockerfile.
	File: /apps/onyx-deployer/Dockerfile:1-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 8, Failed checks: 0, Skipped checks: 0
JSCPD 
Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [261:9 - 266:7] (5 lines, 73 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [212:5 - 219:4]

 261 │ 212 │ from OpenSSL import crypto as c
 262 │ 213 │
 263 │ 214 │         with open(pem_file, "rb") as fh:
 264 │ 215 │             cert = c.load_certificate(c.FILETYPE_PEM, fh.read())
 265 │ 216 │         return datetime.strptime(cert.get_notAfter().decode("utf8"), "%Y%m%d%H%M%SZ")
 266 │ 217 │     except

Clone found (python):
 - /github/workspace/apps/onyx-deployer/onyx_cert_updater.py [309:5 - 318:4] (9 lines, 79 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/supermicro_ipmi_cert.py [236:5 - 245:5]

 309 │ 236 │ )
 310 │ 237 │     parser.add_argument("--quiet", action="store_true", help="Minimal output")
 311 │ 238 │     parser.add_argument("--debug", action="store_true", help="Enable debug logging")
 312 │ 239 │
 313 │ 240 │     args = parser.parse_args()
 314 │ 241 │
 315 │ 242 │     # Validate files exist
 316 │ 243 │     if not os.path.isfile(args.key_file):
 317 │ 244 │         print(f"ERROR: --key-file '{args.key_file}' doesn't exist!")
 318 │ 245 │         sys

Clone found (markdown):
 - /github/workspace/apps/onyx-deployer/README.md [17:1 - 27:16] (10 lines, 104 tokens)
   /github/workspace/apps/supermicro-ipmi-cert/README.md [20:1 - 30:11]

 17 │ 20 │ ash
 18 │ 21 │ docker build -t ghcr.io/lukevanstech/onyx-deployer:latest .
 19 │ 22 │ docker push ghcr.io/lukevanstech/onyx-deployer:latest
 20 │ 23 │ ```
 21 │ 24 │
 22 │ 25 │ ### 2. Configure in Cert Warden
 23 │ 26 │
 24 │ 27 │ In Cert Warden's certificate post-processing settings, configure the container with these environment variables:
 25 │ 28 │
 26 │ 29 │ | Variable | Required | Description | Example |
 27 │ 30 │ |----------|----------|-------------|---------|
 28 │ 31 │ | `CERTIFICATE_PEM` | Yes | Certif

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.18%) over threshold (0%)
TRIVY 

Report Summary

┌──────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│                Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/apc-deployer/Dockerfile         │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/brother-deployer/Dockerfile     │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/onyx-deployer/Dockerfile        │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/supermicro-ipmi-cert/Dockerfile │ dockerfile │        -        │         1         │    -    │
└──────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


apps/apc-deployer/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/brother-deployer/Dockerfile (dockerfile)
=============================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/onyx-deployer/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/supermicro-ipmi-cert/Dockerfile (dockerfile)
=================================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────

@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from 38f20d9 to 7792cc8 Compare May 4, 2026 19:47
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

CHECKOV 
dockerfile scan results:

Passed checks: 469, Failed checks: 4, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/supermicro-ipmi-cert/Dockerfile.
	File: /apps/supermicro-ipmi-cert/Dockerfile:1-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/onyx-deployer/Dockerfile.
	File: /apps/onyx-deployer/Dockerfile:1-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/brother-deployer/Dockerfile.
	File: /apps/brother-deployer/Dockerfile:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM alpine:3.22 AS builder
		2  |
		3  | ARG KUBECTL_VERSION=v1.32.0
		4  | ARG BROTHER_CERT_VERSION=v0.3.0
		5  | ARG TARGETARCH=amd64
		6  |
		7  | WORKDIR /downloads
		8  |
		9  | # Download kubectl
		10 | RUN wget -q -O kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
		11 |     chmod +x kubectl
		12 |
		13 | # Download brother-cert
		14 | RUN wget -q "https://github.com/gregtwallace/brother-cert/releases/download/${BROTHER_CERT_VERSION}/brother-cert-${BROTHER_CERT_VERSION}_linux_${TARGETARCH}.tar.gz" && \
		15 |     tar -xzf brother-cert-*.tar.gz && \
		16 |     chmod +x brother-cert
		17 |
		18 | # Final runtime image
		19 | FROM alpine:3.22
		20 |
		21 | LABEL org.opencontainers.image.source="https://github.com/LukeEvansTech/containers"
		22 | LABEL org.opencontainers.image.description="Brother Printer Certificate Deployment Tool for Cert Warden"
		23 | LABEL org.opencontainers.image.licenses="GPL-2.0"
		24 |
		25 | # Install runtime dependencies
		26 | RUN apk add --no-cache \
		27 |     ca-certificates \
		28 |     && rm -rf /var/cache/apk/*
		29 |
		30 | # Copy binaries from builder
		31 | COPY --from=builder /downloads/kubectl /usr/local/bin/kubectl
		32 | COPY --from=builder /downloads/brother-cert /usr/local/bin/brother-cert
		33 |
		34 | # Create app directory and set permissions for nobody user (65534:65534)
		35 | RUN mkdir -p /app && \
		36 |     chown -R nobody:nobody /app
		37 |
		38 | # Switch to non-root nobody user
		39 | USER nobody
		40 |
		41 | WORKDIR /app
		42 |
		43 | # Verify installations
		44 | RUN kubectl version --client && \
		45 |     brother-cert --version || echo "brother-cert installed"
		46 |
		47 | # Default command
		48 | CMD ["/bin/sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/apc-deployer/Dockerfile.
	File: /apps/apc-deployer/Dockerfile:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 8, Failed checks: 0, Skipped checks: 0
TRIVY 

Report Summary

┌──────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│                Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/apc-deployer/Dockerfile         │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/brother-deployer/Dockerfile     │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/onyx-deployer/Dockerfile        │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/supermicro-ipmi-cert/Dockerfile │ dockerfile │        -        │         1         │    -    │
└──────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


apps/apc-deployer/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/brother-deployer/Dockerfile (dockerfile)
=============================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/onyx-deployer/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/supermicro-ipmi-cert/Dockerfile (dockerfile)
=================================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────

@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from 7792cc8 to 2ad4375 Compare May 4, 2026 19:56
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Fail ❌
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

CHECKOV 
dockerfile scan results:

Passed checks: 469, Failed checks: 4, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/supermicro-ipmi-cert/Dockerfile.
	File: /apps/supermicro-ipmi-cert/Dockerfile:1-51
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/brother-deployer/Dockerfile.
	File: /apps/brother-deployer/Dockerfile:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM alpine:3.22 AS builder
		2  |
		3  | ARG KUBECTL_VERSION=v1.32.0
		4  | ARG BROTHER_CERT_VERSION=v0.3.0
		5  | ARG TARGETARCH=amd64
		6  |
		7  | WORKDIR /downloads
		8  |
		9  | # Download kubectl
		10 | RUN wget -q -O kubectl "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" && \
		11 |     chmod +x kubectl
		12 |
		13 | # Download brother-cert
		14 | RUN wget -q "https://github.com/gregtwallace/brother-cert/releases/download/${BROTHER_CERT_VERSION}/brother-cert-${BROTHER_CERT_VERSION}_linux_${TARGETARCH}.tar.gz" && \
		15 |     tar -xzf brother-cert-*.tar.gz && \
		16 |     chmod +x brother-cert
		17 |
		18 | # Final runtime image
		19 | FROM alpine:3.22
		20 |
		21 | LABEL org.opencontainers.image.source="https://github.com/LukeEvansTech/containers"
		22 | LABEL org.opencontainers.image.description="Brother Printer Certificate Deployment Tool for Cert Warden"
		23 | LABEL org.opencontainers.image.licenses="GPL-2.0"
		24 |
		25 | # Install runtime dependencies
		26 | RUN apk add --no-cache \
		27 |     ca-certificates \
		28 |     && rm -rf /var/cache/apk/*
		29 |
		30 | # Copy binaries from builder
		31 | COPY --from=builder /downloads/kubectl /usr/local/bin/kubectl
		32 | COPY --from=builder /downloads/brother-cert /usr/local/bin/brother-cert
		33 |
		34 | # Create app directory and set permissions for nobody user (65534:65534)
		35 | RUN mkdir -p /app && \
		36 |     chown -R nobody:nobody /app
		37 |
		38 | # Switch to non-root nobody user
		39 | USER nobody
		40 |
		41 | WORKDIR /app
		42 |
		43 | # Verify installations
		44 | RUN kubectl version --client && \
		45 |     brother-cert --version || echo "brother-cert installed"
		46 |
		47 | # Default command
		48 | CMD ["/bin/sh"]
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/apc-deployer/Dockerfile.
	File: /apps/apc-deployer/Dockerfile:1-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /apps/onyx-deployer/Dockerfile.
	File: /apps/onyx-deployer/Dockerfile:1-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
github_actions scan results:

Passed checks: 8, Failed checks: 0, Skipped checks: 0
TRIVY 

Report Summary

┌──────────────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│                Target                │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/apc-deployer/Dockerfile         │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/brother-deployer/Dockerfile     │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/onyx-deployer/Dockerfile        │ dockerfile │        -        │         1         │    -    │
├──────────────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ apps/supermicro-ipmi-cert/Dockerfile │ dockerfile │        -        │         1         │    -    │
└──────────────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


apps/apc-deployer/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/brother-deployer/Dockerfile (dockerfile)
=============================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/onyx-deployer/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



apps/supermicro-ipmi-cert/Dockerfile (dockerfile)
=================================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────

@LukeEvansTech
fix(docker): add HEALTHCHECK and non-root USER (CHECKOV/TRIVY)
45ec4f3 
CHECKOV CKV_DOCKER_2 (HEALTHCHECK) and CKV_DOCKER_3 (USER) plus
TRIVY DS-0002 (non-root) flagged the Dockerfile(s). Fix without
changing runtime behaviour:
- HEALTHCHECK: TCP socket check on the listening port via Python
  stdlib — no extra runtime deps.
- USER 1000:1000: chown /app first so the app can still write to
  any data dirs it expects.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`

@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from 1f7bad6 to 45ec4f3 Compare May 4, 2026 20:46
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`

@LukeEvansTech
fix(ci): add top-level 'permissions: contents: read' to existing work…
0e9318c 
…flows

CHECKOV CKV2_GHA_1 ("top-level permissions not set to write-all") fires
on workflows without an explicit top-level permissions block. Add the
GitHub-recommended least-privilege default; per-job overrides remain
intact and take precedence at runtime.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:3:42: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:1:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:3:95: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:4:61: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:8:42: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
154 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:34:9
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m35�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@v4
�[1m�[94m36�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m37�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
   �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:81:9
   �[1m�[94m|�[0m
�[1m�[94m81�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m82�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m �[1m�[33m|_________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:50:24
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m50�[0m �[1m�[94m|�[0m           if [ -n "${{ inputs.app }}" ]; then
   �[1m�[94m|�[0m                        �[1m�[91m^^^^^^^^^^�[0m �[1m�[91mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:52:31
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m             echo "apps=[\"${{ inputs.app }}\"]" >> $GITHUB_OUTPUT
   �[1m�[94m|�[0m                               �[1m�[91m^^^^^^^^^^�[0m �[1m�[91mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:53:23
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m           elif [ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]; then
   �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:55:30
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m   run: |
   �[1m�[94m|�[0m       �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m55�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m       APPS=$(echo '${{ steps.changed-files.outputs.all_changed_files }}' | jq -R -s -c 'split(" ") | map(select(length > 0)) | m�[1m�[94m...�[0m
   �[1m�[94m|�[0m                            �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:64:36
   �[1m�[94m|�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m64�[0m �[1m�[94m|�[0m           echo "Apps to build: ${{ steps.set-matrix.outputs.apps }}"
   �[1m�[94m|�[0m                                    �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:100:29
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m           if [ -f "apps/${{ matrix.app }}/VERSION" ]; then
    �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:101:36
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m           if [ -f "apps/${{ matrix.app }}/VERSION" ]; then
�[1m�[94m101�[0m �[1m�[94m|�[0m             VERSION=$(cat apps/${{ matrix.app }}/VERSION)
    �[1m�[94m|�[0m                                    �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:107:35
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m107�[0m �[1m�[94m|�[0m             APP_UPPER=$(echo "${{ matrix.app }}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
    �[1m�[94m|�[0m                                   �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:135:31
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m134�[0m �[1m�[94m|�[0m         with:
�[1m�[94m135�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:155:31
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m155�[0m �[1m�[94m|�[0m           echo "## Built: ${{ matrix.app }}" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:157:85
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m157�[0m �[1m�[94m|�[0m           echo "**Image**: \`${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.app }}\`" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                                                                                     �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:158:35
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m158�[0m �[1m�[94m|�[0m           echo "**Digest**: \`${{ steps.build.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                                   �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:162:21
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m162�[0m �[1m�[94m|�[0m           echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:173:21
    �[1m�[94m|�[0m
�[1m�[94m172�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m173�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:176:23
    �[1m�[94m|�[0m
�[1m�[94m172�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m176�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:41:9
   �[1m�[94m|�[0m
�[1m�[94m41�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:35:15
   �[1m�[94m|�[0m
�[1m�[94m35�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:41:15
   �[1m�[94m|�[0m
�[1m�[94m41�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:82:15
   �[1m�[94m|�[0m
�[1m�[94m82�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:85:15
   �[1m�[94m|�[0m
�[1m�[94m85�[0m �[1m�[94m|�[0m         uses: docker/setup-qemu-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:88:15
   �[1m�[94m|�[0m
�[1m�[94m88�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:91:15
   �[1m�[94m|�[0m
�[1m�[94m91�[0m �[1m�[94m|�[0m         uses: docker/login-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:122:15
    �[1m�[94m|�[0m
�[1m�[94m122�[0m �[1m�[94m|�[0m         uses: docker/metadata-action@v5
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:133:15
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:147:15
    �[1m�[94m|�[0m
�[1m�[94m147�[0m �[1m�[94m|�[0m         uses: actions/attest-build-provenance@v2
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[32m37�[39m findings (�[1m�[93m10�[39m suppressed, �[92m26�[39m fixable�[0m): �[35m7�[39m informational, �[36m0�[39m low, �[33m8�[39m medium, �[31m12�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
YAML_PRETTIER 
Checking formatting...[�[33mwarn�[39m] .github/workflows/build-and-push.yaml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:3:42: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:49:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
49 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:99:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
   |
99 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:1:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:3:95: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:4:61: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:8:42: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
154 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:154:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
154 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:34:9
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m35�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@v4
�[1m�[94m36�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         with:
�[1m�[94m37�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           fetch-depth: 0
   �[1m�[94m|�[0m �[1m�[33m|________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:81:9
   �[1m�[94m|�[0m
�[1m�[94m81�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[33m _________^�[0m
�[1m�[94m82�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m �[1m�[33m|_________________________________^�[0m �[1m�[33mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:50:24
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m50�[0m �[1m�[94m|�[0m           if [ -n "${{ inputs.app }}" ]; then
   �[1m�[94m|�[0m                        �[1m�[91m^^^^^^^^^^�[0m �[1m�[91mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:52:31
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m             echo "apps=[\"${{ inputs.app }}\"]" >> $GITHUB_OUTPUT
   �[1m�[94m|�[0m                               �[1m�[91m^^^^^^^^^^�[0m �[1m�[91mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:53:23
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m           elif [ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]; then
   �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:55:30
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m   run: |
   �[1m�[94m|�[0m       �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m55�[0m �[1m�[94m|�[0m �[1m�[94m...�[0m       APPS=$(echo '${{ steps.changed-files.outputs.all_changed_files }}' | jq -R -s -c 'split(" ") | map(select(length > 0)) | m�[1m�[94m...�[0m
   �[1m�[94m|�[0m                            �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:64:36
   �[1m�[94m|�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m         run: |
   �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m64�[0m �[1m�[94m|�[0m           echo "Apps to build: ${{ steps.set-matrix.outputs.apps }}"
   �[1m�[94m|�[0m                                    �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:100:29
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m           if [ -f "apps/${{ matrix.app }}/VERSION" ]; then
    �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:101:36
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m           if [ -f "apps/${{ matrix.app }}/VERSION" ]; then
�[1m�[94m101�[0m �[1m�[94m|�[0m             VERSION=$(cat apps/${{ matrix.app }}/VERSION)
    �[1m�[94m|�[0m                                    �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:107:35
    �[1m�[94m|�[0m
�[1m�[94m 99�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m107�[0m �[1m�[94m|�[0m             APP_UPPER=$(echo "${{ matrix.app }}" | tr '[:lower:]' '[:upper:]' | tr '-' '_')
    �[1m�[94m|�[0m                                   �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:135:31
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m134�[0m �[1m�[94m|�[0m         with:
�[1m�[94m135�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:155:31
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m155�[0m �[1m�[94m|�[0m           echo "## Built: ${{ matrix.app }}" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:157:85
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m157�[0m �[1m�[94m|�[0m           echo "**Image**: \`${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.app }}\`" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                                                                                     �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:158:35
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m158�[0m �[1m�[94m|�[0m           echo "**Digest**: \`${{ steps.build.outputs.digest }}\`" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                                   �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:162:21
    �[1m�[94m|�[0m
�[1m�[94m154�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m162�[0m �[1m�[94m|�[0m           echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:173:21
    �[1m�[94m|�[0m
�[1m�[94m172�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m173�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:176:23
    �[1m�[94m|�[0m
�[1m�[94m172�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m176�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:41:9
   �[1m�[94m|�[0m
�[1m�[94m41�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:35:15
   �[1m�[94m|�[0m
�[1m�[94m35�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:41:15
   �[1m�[94m|�[0m
�[1m�[94m41�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:82:15
   �[1m�[94m|�[0m
�[1m�[94m82�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:85:15
   �[1m�[94m|�[0m
�[1m�[94m85�[0m �[1m�[94m|�[0m         uses: docker/setup-qemu-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:88:15
   �[1m�[94m|�[0m
�[1m�[94m88�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:91:15
   �[1m�[94m|�[0m
�[1m�[94m91�[0m �[1m�[94m|�[0m         uses: docker/login-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:122:15
    �[1m�[94m|�[0m
�[1m�[94m122�[0m �[1m�[94m|�[0m         uses: docker/metadata-action@v5
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:133:15
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:147:15
    �[1m�[94m|�[0m
�[1m�[94m147�[0m �[1m�[94m|�[0m         uses: actions/attest-build-provenance@v2
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[32m37�[39m findings (�[1m�[93m10�[39m suppressed, �[92m26�[39m fixable�[0m): �[35m7�[39m informational, �[36m0�[39m low, �[33m8�[39m medium, �[31m12�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml

@LukeEvansTech
fix(ci): apply zizmor + prettier auto-fixes; ensure top-level permiss…
553d0e5 
…ions

- zizmor --fix=all: adds 'persist-credentials: false' to actions/checkout
  invocations (artipacked audit) and other safe security fixes.
- prettier --write: normalises workflow YAML formatting (YAML_PRETTIER).
- ensures top-level 'permissions: contents: read' on every workflow
  (CKV2_GHA_1).
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2016:info:6:15: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:3:38: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:2:22: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:1:35: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:3:91: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:4:57: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:8:38: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
165 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:146:31
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m145�[0m �[1m�[94m|�[0m         with:
�[1m�[94m146�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:188:21
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m188�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:191:23
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m191�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:9
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:35:15
   �[1m�[94m|�[0m
�[1m�[94m35�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:15
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:89:15
   �[1m�[94m|�[0m
�[1m�[94m89�[0m �[1m�[94m|�[0m         uses: actions/checkout@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:94:15
   �[1m�[94m|�[0m
�[1m�[94m94�[0m �[1m�[94m|�[0m         uses: docker/setup-qemu-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:97:15
   �[1m�[94m|�[0m
�[1m�[94m97�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:100:15
    �[1m�[94m|�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m         uses: docker/login-action@v3
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:133:15
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/metadata-action@v5
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:144:15
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:158:15
    �[1m�[94m|�[0m
�[1m�[94m158�[0m �[1m�[94m|�[0m         uses: actions/attest-build-provenance@v2
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[32m23�[39m findings (�[1m�[93m10�[39m suppressed, �[92m12�[39m fixable�[0m): �[35m2�[39m informational, �[36m0�[39m low, �[33m1�[39m medium, �[31m10�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2016:info:6:15: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:3:38: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:2:22: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:1:35: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:3:91: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:4:57: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:8:38: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
165 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:146:31
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m         �[1m�[94m---------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m145�[0m �[1m�[94m|�[0m         with:
�[1m�[94m146�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:188:21
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m188�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:191:23
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m191�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:9
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:15
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@v45
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:94:15
   �[1m�[94m|�[0m
�[1m�[94m94�[0m �[1m�[94m|�[0m         uses: docker/setup-qemu-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:97:15
   �[1m�[94m|�[0m
�[1m�[94m97�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v3
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:100:15
    �[1m�[94m|�[0m
�[1m�[94m100�[0m �[1m�[94m|�[0m         uses: docker/login-action@v3
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:133:15
    �[1m�[94m|�[0m
�[1m�[94m133�[0m �[1m�[94m|�[0m         uses: docker/metadata-action@v5
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:144:15
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v6
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:158:15
    �[1m�[94m|�[0m
�[1m�[94m158�[0m �[1m�[94m|�[0m         uses: actions/attest-build-provenance@v2
    �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[32m21�[39m findings (�[1m�[93m10�[39m suppressed, �[92m10�[39m fixable�[0m): �[35m2�[39m informational, �[36m0�[39m low, �[33m1�[39m medium, �[31m8�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml

@LukeEvansTech
fix(ci): pin actions to SHA with version comment (zizmor unpinned-uses)
d9746ce 
Resolves zizmor's unpinned-uses audit. Each 'uses: $action@$tag' is
replaced with 'uses: $action@$sha # $tag' (the Renovate-friendly
convention — Renovate bumps both atomically when tags move). Run via
pinact.
@LukeEvansTech LukeEvansTech force-pushed the chore/add-super-linter branch from 54f0e91 to d9746ce Compare May 5, 2026 14:32
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2016:info:6:15: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:3:38: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:2:22: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:1:35: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:3:91: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:4:57: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:8:38: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
165 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:146:31
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
    �[1m�[94m|�[0m         �[1m�[94m-----------------------------------------------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m145�[0m �[1m�[94m|�[0m         with:
�[1m�[94m146�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:188:21
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m188�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:191:23
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m191�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:9
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[32m14�[39m findings (�[1m�[93m10�[39m suppressed, �[92m3�[39m fixable�[0m): �[35m2�[39m informational, �[36m0�[39m low, �[33m1�[39m medium, �[31m1�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml

@LukeEvansTech
fix(ci): move caller permissions to job level + bump shared-workflows…
1c3e686 
… SHA

- Top-level permissions reduced to 'contents: read' (least-privilege).
- Job-level adds 'statuses: write' + 'pull-requests: write' for super-linter.
- Bumped LukeEvansTech/shared-workflows pin to current v1 SHA.

Resolves zizmor excessive-permissions on the lint.yml caller.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 5, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
DOCKERFILE_HADOLINT Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Fail ❌
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

DOCKERFILE_HADOLINT 
/github/workspace/apps/apc-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/brother-deployer/Dockerfile:26 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/onyx-deployer/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
/github/workspace/apps/supermicro-ipmi-cert/Dockerfile:20 DL3018 �[1m�[93mwarning�[0m: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
GITHUB_ACTIONS 
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2016:info:6:15: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:10:21: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:3:38: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:50:9: shellcheck reported issue in this script: SC2086:info:7:26: Double quote to prevent globbing and word splitting [shellcheck]
   |
50 |         run: |
   |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:10:34: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:13:31: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:14:24: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:19:39: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:2:22: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:3:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:108:9: shellcheck reported issue in this script: SC2086:info:4:30: Double quote to prevent globbing and word splitting [shellcheck]
    |
108 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:1:35: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:2:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:3:91: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:4:57: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:5:12: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:6:20: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:7:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:8:38: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2086:info:9:18: Double quote to prevent globbing and word splitting [shellcheck]
    |
165 |         run: |
    |         ^~~~
.github/workflows/build-and-push.yaml:165:9: shellcheck reported issue in this script: SC2129:style:1:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
    |
165 |         run: |
    |         ^~~~
GITHUB_ACTIONS_ZIZMOR 
�[1m�[33mwarning[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:146:31
    �[1m�[94m|�[0m
�[1m�[94m144�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
    �[1m�[94m|�[0m         �[1m�[94m-----------------------------------------------------------------------�[0m �[1m�[94maction accepts arbitrary code�[0m
�[1m�[94m145�[0m �[1m�[94m|�[0m         with:
�[1m�[94m146�[0m �[1m�[94m|�[0m           context: ./apps/${{ matrix.app }}
    �[1m�[94m|�[0m           �[1m�[94m-------�[0m             �[1m�[33m^^^^^^^^^^�[0m �[1m�[33mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m           �[1m�[94m|�[0m
    �[1m�[94m|�[0m           �[1m�[94mvia this input�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:188:21
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m188�[0m �[1m�[94m|�[0m           if [ "${{ needs.build.result }}" == "failure" ]; then
    �[1m�[94m|�[0m                     �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[94minfo[template-injection]�[0m�[1m: code injection via template expansion�[0m
   �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:191:23
    �[1m�[94m|�[0m
�[1m�[94m187�[0m �[1m�[94m|�[0m         run: |
    �[1m�[94m|�[0m         �[1m�[94m---�[0m �[1m�[94mthis run block�[0m
�[1m�[94m...�[0m
�[1m�[94m191�[0m �[1m�[94m|�[0m           elif [ "${{ needs.build.result }}" == "skipped" ]; then
    �[1m�[94m|�[0m                       �[1m�[94m^^^^^^^^^^^^^^^^^^�[0m �[1m�[94mmay expand into attacker-controllable code�[0m
    �[1m�[94m|�[0m
    �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
    �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
    �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#template-injection�[39m

�[1m�[91merror[known-vulnerable-actions]�[0m�[1m: action has a known vulnerability�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/build-and-push.yaml:42:9
   �[1m�[94m|�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m         uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2
   �[1m�[94m|�[0m         �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91mGHSA-mrrh-fwg8-r2c3�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#known-vulnerable-actions�[39m

�[32m12�[39m findings (�[1m�[93m8�[39m suppressed, �[92m3�[39m fixable�[0m): �[35m2�[39m informational, �[36m0�[39m low, �[33m1�[39m medium, �[31m1�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/build-and-push.yaml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LukeEvansTech