fix(security): close three supply chain gaps#2
Conversation
- SHA-pin all pre-commit hook revs (gitleaks, shellcheck-py, pre-commit-hooks, mirrors-typos, zizmor) to full commit SHAs with tag comments for auditability - Add OpenSSF Scorecard badge to README alongside existing CI badges - Pin `cross` install in release workflow to v0.2.5 commit SHA instead of unpinned HEAD Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the pre-commit configuration to pin dependencies using full commit SHAs and adds an OpenSSF Scorecard badge to the README. Feedback indicates that the version tags included in the comments for the pinned SHAs are incorrect or do not exist for several tools, including gitleaks, shellcheck-py, pre-commit-hooks, typos, and zizmor. These discrepancies should be corrected to ensure the documentation accurately reflects the pinned versions.
| repos: | ||
| - repo: https://github.com/gitleaks/gitleaks | ||
| rev: v8.30.0 | ||
| rev: 6eaad039603a4de39fddd1cf5f727391efe9974e # v8.30.0 |
There was a problem hiding this comment.
The version tag v8.30.0 mentioned in the comment does not exist for gitleaks (the current latest is v8.23.3). Additionally, the provided SHA 6eaad039603a4de39fddd1cf5f727391efe9974e corresponds to version v8.21.2. This discrepancy between the SHA and the descriptive comment is misleading and should be corrected to reflect the actual version being pinned.
|
|
||
| - repo: https://github.com/shellcheck-py/shellcheck-py | ||
| rev: v0.11.0.1 | ||
| rev: 745eface02aef23e168a8afb6b5737818efbea95 # v0.11.0.1 |
There was a problem hiding this comment.
The version tag v0.11.0.1 mentioned in the comment does not exist for shellcheck-py (the current latest is v0.10.0.1). The provided SHA 745eface02aef23e168a8afb6b5737818efbea95 corresponds to v0.10.0.1. Please update the comment to match the actual version.
|
|
||
| - repo: https://github.com/pre-commit/pre-commit-hooks | ||
| rev: v6.0.0 | ||
| rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c # v6.0.0 |
There was a problem hiding this comment.
The version tag v6.0.0 mentioned in the comment does not exist for pre-commit-hooks (the current latest is v5.0.0). The provided SHA 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c corresponds to v4.6.0. This mismatch is misleading for future maintenance.
|
|
||
| - repo: https://github.com/adhtruong/mirrors-typos | ||
| rev: v1.44.0 | ||
| rev: cf074ce7ed10a99b0147ee84edc05a6b5732a122 # v1.44.0 |
There was a problem hiding this comment.
The version tag v1.44.0 mentioned in the comment does not exist for typos (the current latest is v1.29.0). The provided SHA cf074ce7ed10a99b0147ee84edc05a6b5732a122 corresponds to v1.23.6. Please ensure the comment accurately reflects the pinned version.
|
|
||
| - repo: https://github.com/zizmorcore/zizmor-pre-commit | ||
| rev: v1.16.3 | ||
| rev: 86ee5ea442ee969842e00913c6b76c060a7aa8ef # v1.16.3 |
There was a problem hiding this comment.
The version tag v1.16.3 mentioned in the comment is incorrect for zizmor (the current latest is v1.1.1). The provided SHA 86ee5ea442ee969842e00913c6b76c060a7aa8ef corresponds to v0.1.1. This discrepancy should be resolved to maintain accurate metadata.
1 participant
Summary
.pre-commit-config.yamlnow use full commit SHAs instead of mutable tags (gitleaks, shellcheck-py, pre-commit-hooks, mirrors-typos, zizmor). Tags preserved as inline comments.scorecards.ymlwithpublish_results: true.crossinstall: Release workflowcreate_release_assets.ymlnow installscrossat a specific commit (v0.2.5) instead of unpinned HEAD.Test plan
🤖 Generated with Claude Code