Skip to content

Fix Semgrep SAST findings: Dependabot cooldown and pinned action#3

Merged
olegs-method merged 1 commit into
mainfrom
security/scanner-fixes
Jul 13, 2026
Merged

Fix Semgrep SAST findings: Dependabot cooldown and pinned action#3
olegs-method merged 1 commit into
mainfrom
security/scanner-fixes

Conversation

@olegs-method

Copy link
Copy Markdown
Contributor

Summary

Remediates the 2 Semgrep SAST findings reported for this repo. No Critical/High dependency findings were present.

SAST fixes

  1. dependabot-missing-cooldown (High) — .github/dependabot.yml:3
    Added a cooldown block with default-days: 7 to the github-actions ecosystem entry, so newly published packages wait 7 days before Dependabot proposes them. Mitigates malicious/unstable fresh releases (CWE-829, A08:2021 — Software and Data Integrity Failures).

  2. github-actions-mutable-action-tag (High) — .github/workflows/dependabot-auto-merge.yml:14
    Pinned dependabot/fetch-metadata from the mutable @v2 tag to the full-length commit SHA 21025c705c08248db411dc16f3619e6b5f9ea21a (still v2), with a # v2 comment for readability. Prevents silent tag repointing / supply-chain attacks (CWE-1357, CWE-353, A08:2021).

Dependency findings

None (no Critical/High dependency findings for this repo).

Verification

  • python3 YAML parse of both edited files: OK (both parse cleanly).
  • Repo is a documentation/skill repo with no build system, dependencies, or test suite; syntax validation is the applicable check.
  • git diff reviewed: 3 insertions, 1 deletion, scoped to the two flagged files.

🤖 Generated with Claude Code

- Add cooldown (default-days: 7) to the github-actions Dependabot
  ecosystem entry so newly published packages wait before being
  proposed (CWE-829 / A08:2021).
- Pin dependabot/fetch-metadata to its full-length commit SHA instead
  of the mutable @v2 tag to prevent supply-chain tag repointing
  (CWE-1357/CWE-353 / A08:2021).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@olegs-method
olegs-method merged commit ed1cd95 into main Jul 13, 2026
1 check passed
@olegs-method
olegs-method deleted the security/scanner-fixes branch July 13, 2026 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant