fix(workflows): update github actions to use SHA

.github/scripts/report/go.mod

@@ -1,6 +1,6 @@
 module github.com/Checkmarx/e2e-report
 
-go 1.25.7
+go 1.26.2
 
 require (
 	github.com/rs/zerolog v1.31.0

.github/workflows/check-go-coverage.yaml

@@ -17,7 +17,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version-file: go.mod
       - name: Run test metrics script

.github/workflows/go-ci-coverage.yaml

@@ -18,7 +18,7 @@ jobs:
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version-file: go.mod
       - name: Run test metrics script
@@ -55,12 +55,12 @@ jobs:
           git config --global user.name "KICSBot"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - name: Download Coverage Report
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           name: ${{ runner.os }}-coverage-latest
           path: latest-coverage
       - name: Download Badge svg
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           name: ${{ runner.os }}-badge-latest
           path: latest-coverage

.github/workflows/go-ci-metrics.yaml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Run test metrics script
@@ -44,7 +44,7 @@ jobs:
           git config --global user.name "KICSBot"
           git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
       - name: Download Queries Badge SVG
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           name: ${{ runner.os }}-queries-badge-latest
           path: latest-metrics

.github/workflows/go-ci.yml

@@ -39,7 +39,7 @@ jobs:
     name: unit-tests
     strategy:
       matrix:
-        go-version: [1.25.x]
+        go-version: [1.26.x]
         os: [ubuntu-latest, ubuntu-24.04-arm, windows-2022, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:

.github/workflows/go-e2e-debian.yaml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.25.x]
+        go-version: [1.26.x]
         config:
           - os: ubuntu-latest
             platform: linux/amd64
@@ -31,15 +31,15 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version: ${{ matrix.go-version }}
       - name: Print go env
         run: go env
       - name: Get Modules
         run: go mod vendor
       - name: Set up Node v14
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6.3.0
         with:
           node-version: "20"
       - name: Install mock server

.github/workflows/go-e2e.yaml

@@ -10,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: [1.25.x]
+        go-version: [1.26.x]
         config:
           - os: ubuntu-latest
             platform: linux/amd64
@@ -47,15 +47,15 @@ jobs:
         with:
           persist-credentials: false
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version: ${{ matrix.go-version }}
       - name: Print go env
         run: go env
       - name: Get Modules
         run: go mod vendor
       - name: Set up Node v14
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6.3.0
         with:
           node-version: "20"
       - name: Install mock server

.github/workflows/release-commits.yaml

@@ -13,10 +13,10 @@ jobs:
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version-file: go.mod
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Run get release commits script

.github/workflows/release-extract-info.yaml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Run test statistics script
@@ -19,7 +19,7 @@ jobs:
           pip3 install -r .github/scripts/extract-kics-info/requirements.txt
           python3 .github/scripts/extract-kics-info/extract-info.py
       - name: Upload binaries to release
-        uses: svenstaro/upload-release-action@81c65b7cd4de9b2570615ce3aad67a41de5b1a13 # v2.11.2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2.11.5
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: .github/scripts/extract-kics-info/extracted-info.zip

.github/workflows/release-nightly.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: 1.25.x
+          go-version: 1.26.x
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
         with:

.github/workflows/run-projects.yaml

@@ -52,7 +52,7 @@ jobs:
           cache: false
 
       - name: Download kics
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           name: kics
           path: .
@@ -62,7 +62,7 @@ jobs:
           unzip -q kics.zip
 
       - name: Download Json
-        uses: actions/download-artifact@v4.1.3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
         with:
           name: Metadata
           path: .

.github/workflows/sec-checks.yaml

@@ -138,7 +138,7 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version: 'stable'
       - name: Install govulncheck

.github/workflows/statistics.yaml

@@ -12,7 +12,7 @@ jobs:
       - name: Checkout Source
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
         with:
           go-version-file: go.mod
       - name: Run test metrics script
@@ -28,7 +28,7 @@ jobs:
           sudo apt-get install cloc
           GO_LOC=$(cloc . | grep Go | grep -Eo '[0-9]+$')
           echo "::set-output name=goloc::${GO_LOC}"
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Run test statistics script

.github/workflows/update-docs-queries.yaml

@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Update docs

.github/workflows/update-docs-release.yaml

@@ -32,7 +32,7 @@ jobs:
           echo "curr tag ${{ steps.version.outputs.ctag }}"
           echo "prev ver ${{ steps.version.outputs.pversion }}"
           echo "curr ver ${{ steps.version.outputs.cversion }}"
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: 3.x
       - name: Install dependencies

.github/workflows/update-install-script.yaml

@@ -30,7 +30,7 @@ jobs:
             && chmod +x godownloader \
             && rm -vf $(basename "${FULL_URL}") \
             && cd "${PROJDIR}"
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
         with:
           python-version: "3.x"
       - name: Install dependencies

.github/workflows/validate-arm-samples.yaml

@@ -12,7 +12,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6.3.0
         with:
           node-version: "20"
       - name: Installing jsonlint

.github/workflows/validate-issues.yaml

@@ -18,7 +18,7 @@ jobs:
           .github/scripts/pr-issue-info/get_title_types.py
           .github/issue-title-types.yaml
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
       with:
         python-version: "3.x"
     - name: Install dependencies

.github/workflows/validate-openapi-samples.yaml

@@ -14,7 +14,7 @@ jobs:
         with:
           persist-credentials: false
       - name: yaml-lint
-        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
         with:
           file_or_dir: assets/queries/openAPI/
           config_file: .github/scripts/samples-linters/yamllint.yml
@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f #v6.3.0
         with:
           node-version: '20'
       - name: Installing jsonlint

.github/workflows/validate-prs.yaml

@@ -22,7 +22,7 @@ jobs:
     - name: Print PR Title
       run: echo "$TITLE"
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 #v6.2.0
       with:
         python-version: "3.x"
     - name: Install dependencies

.grype.yaml

@@ -8,5 +8,6 @@ ignore:
   - package:
       location: "/usr/local/bin/terraform"
   - vulnerability: GHSA-fw7p-63qq-7hpr # filippo.io/edwards25519 -> FP, not present in binary dependencies
+  - vulnerability: GHSA-w8rr-5gcm-pp58 # go.opentelemetry.io/otel/exporters/otlp/* -> Waiting for fix, only present in fs scan
 exclude:
-  - './.github/scripts/**' # test files
+  - './.github/scripts/**' # test files

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/go:1.26.1@sha256:1d40555ccad7e4e931c5e36d9ca743e3d37d895923e061b94615ae0e69f57b8b AS build_env
+FROM checkmarx/go:1.26.2@sha256:9bc691851ef2244d13b0b9ff48bd2d409f4d7300ce1e3589c886c3e393631366 AS build_env
 
 # Copy the source from the current directory to the Working Directory inside the container
 WORKDIR /app
@@ -29,9 +29,9 @@
 # Runtime image
 # Ignore no User Cmd since KICS container is stopped afer scan
 # kics-scan ignore-line
-FROM checkmarx/git:2.53.0@sha256:9b16c12c6247d4f5a50f11844bf8e89b6bf1c14ddeed18291cbc857e84d8c4e6
+FROM checkmarx/git:2.53.0@sha256:efb3b1704c76c7ebc0aa133281491a619b49db51030d86eaaa334281e0c4b214
 
 ENV TERM xterm-256color
 
 # Copy built binary to the runtime container
 # Vulnerability fixed in latest version of KICS remove when gh actions version is updated
@@ -47,7 +47,7 @@
 USER root
 
 # Healthcheck the container
 ENV PATH $PATH:/app/bin
 
 # Command to run the executable
 ENTRYPOINT ["/app/bin/kics"]

docker/Dockerfile.alpine

@@ -1,4 +1,4 @@
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-alpine AS build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.26.2-alpine AS build_env
 
 # Install build dependencies
 RUN apk add --no-cache git
@@ -51,7 +51,7 @@
 USER checkmarx
 
 # Add kics to PATH
 ENV PATH $PATH:/app/bin
 
 # Healthcheck the container (consistent with Debian variant)
 HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt

docker/Dockerfile.debian

@@ -3,7 +3,7 @@
 # it does not define an ENTRYPOINT as this is a requirement described here:
 # https://docs.microsoft.com/en-us/azure/devops/pipelines/process/container-phases?view=azure-devops#linux-based-containers
 #
-FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.25.7-bookworm as build_env
+FROM --platform=${BUILDPLATFORM:-linux/amd64} golang:1.26.2-bookworm as build_env
 # Create a group and user
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 USER checkmarx
@@ -45,7 +45,7 @@
 
 RUN groupadd checkmarx && useradd -g checkmarx -M -s /bin/bash checkmarx
 
 ENV PATH /app/bin:/usr/bin/git:$PATH
 
 RUN apt-get update -yq \
   && apt-get install git wget unzip zip jq -y \
@@ -60,7 +60,7 @@
 
 WORKDIR /app/bin
 
 ENV PATH $PATH:/app/bin
 # Healthcheck the container
 
 HEALTHCHECK CMD wget -q --method=HEAD localhost/system-status.txt

docker/Dockerfile.ubi8

@@ -7,13 +7,13 @@ WORKDIR /build
 
 ENV PATH=$PATH:/usr/local/go/bin
 
-RUN echo "Installing Go 1.25.7 for ${TARGETARCH:-amd64} architecture"
+RUN echo "Installing Go 1.26.2 for ${TARGETARCH:-amd64} architecture"
 
 RUN yum install git gcc wget -y \
   && rm -rf /usr/local/go \
-  && wget -q https://golang.org/dl/go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
-  && tar -C /usr/local -xzf go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz \
-  && rm -f go1.25.7.linux-${TARGETARCH:-amd64}.tar.gz
+  && wget -q https://golang.org/dl/go1.26.2.linux-${TARGETARCH:-amd64}.tar.gz \
+  && tar -C /usr/local -xzf go1.26.2.linux-${TARGETARCH:-amd64}.tar.gz \
+  && rm -f go1.26.2.linux-${TARGETARCH:-amd64}.tar.gz
 
 ENV GOPRIVATE=github.com/Checkmarx/*
 ARG VERSION="development"

docs/queries/cicd-queries/20f14e1a-a899-4e79-9f09-b6a84cd4649b.md

@@ -206,10 +206,10 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - name: Set up Go 1.22.x
+      - name: Set up Go 1.26.x
         uses: actions/setup-go@v5
         with:
-          go-version: 1.22.x
+          go-version: 1.26.x
       - name: Run test metrics script
         id: testcov
         run: |