From 63392444547ac8350dd2f7c4bf0ef36cfd18cb55 Mon Sep 17 00:00:00 2001 From: Akshay2191 Date: Mon, 2 Mar 2026 11:59:53 +0000 Subject: [PATCH 1/3] added SHA --- .github/workflows/sbom-source.yml | 6 +++--- dependencies.Dockerfile | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/sbom-source.yml b/.github/workflows/sbom-source.yml index 723f8302cd..57ea17505a 100644 --- a/.github/workflows/sbom-source.yml +++ b/.github/workflows/sbom-source.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-tags: 'true' - + - name: Get Secrets from Azure Key Vault uses: ./.github/actions/az-sync with: @@ -35,10 +35,10 @@ jobs: az_subscription_id: ${{ secrets.AZ_SUBSCRIPTION_ID }} keyvault: ${{ secrets.AZ_KEYVAULT_AGENT }} secrets-filter: 'artifactory' - + - name: Generate SBOM Document id: sbom-src - uses: nginxinc/compliance-rules/.github/actions/sbom-source@main + uses: nginxinc/compliance-rules/.github/actions/sbom-source@361e2ac0a4f333150a3773a815aac632d32ffde9 # main with: product-name: ${{ github.event.repository.name }} release-version: ${{ github.ref_name }} diff --git a/dependencies.Dockerfile b/dependencies.Dockerfile index b1b44dff9e..19e72b9888 100644 --- a/dependencies.Dockerfile +++ b/dependencies.Dockerfile @@ -3,11 +3,11 @@ # Dependabot can keep this file up to date with latest containers. # Weaver is used to generate markdown docs, and enforce policies on the model. -FROM otel/weaver:v0.13.2 AS weaver +FROM otel/weaver:v0.13.2@sha256:ae7346b992e477f629ea327e0979e8a416a97f7956ab1f7e95ac1f44edf1a893 AS weaver # OPA is used to test policies enforced by weaver. -FROM openpolicyagent/opa:1.2.0 AS opa +FROM openpolicyagent/opa:1.2.0@sha256:96f7ee5dbcc634853c55e0fc6090fe421d8c853da967ee0246f98bd186e2083f AS opa # Semconv gen is used for backwards compatibility checks. # TODO(jsuereth): Remove this when no longer used. -FROM otel/semconvgen:0.25.0 AS semconvgen \ No newline at end of file +FROM otel/semconvgen:0.25.0@sha256:9df7b8cbaa732277d64d0c0a8604d96bb6f5a36d0e96338cba5dced720c16485 AS semconvgen From bd5cdf603c2966d6776d2ec1c0b6ad8ef62bae9a Mon Sep 17 00:00:00 2001 From: Akshay2191 Date: Wed, 4 Mar 2026 13:23:20 +0000 Subject: [PATCH 2/3] Added a way to run scorecard scan on any branch --- .github/workflows/scorecards.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 07b4064831..327f0fc924 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -12,6 +12,10 @@ on: branches: - main - dev-v2 + pull_request: + branches: + - main + workflow_dispatch: # Declare default permissions as read only. permissions: read-all From aa137bd2b0027e75fb59f9de187a2ad97270a134 Mon Sep 17 00:00:00 2001 From: Akshay2191 Date: Mon, 9 Mar 2026 12:56:42 +0000 Subject: [PATCH 3/3] added scorecard yml to ignore test docker files --- .github/scorecard.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/scorecard.yml diff --git a/.github/scorecard.yml b/.github/scorecard.yml new file mode 100644 index 0000000000..2b949fe373 --- /dev/null +++ b/.github/scorecard.yml @@ -0,0 +1,17 @@ +annotations: + # Ignore test Dockerfiles that use dynamic base images (ARG BASE_IMAGE) + # These are intentionally unpinned for test flexibility across multiple OS versions + - checks: + - pinned-dependencies + reasons: + - reason: test-data + annotation: "Test Dockerfiles use dynamic ARG BASE_IMAGE for multi-platform/multi-OS testing" + path: + - "test/docker/nginx-official-image/apk/Dockerfile" + - "test/docker/nginx-official-image/deb/Dockerfile" + - "test/docker/nginx-oss/apk/Dockerfile" + - "test/docker/nginx-oss/deb/Dockerfile" + - "test/docker/nginx-oss/rpm/Dockerfile" + - "test/docker/nginx-plus/deb/Dockerfile" + - "test/docker/nginx-plus-and-nap/deb/Dockerfile" +