Downgrade kics real time to version v2.1.3 instead of latest (#1020)

* Downgrade kics real time to version v2.1.3 instead of latest * try fix trivy vuls * try fix trivy vuls * add unknown severity * Do not notify id pre release --------- Co-authored-by: AlvoBen <alvo@post.bgu.ac.il>
Checkmarx · Jan 26, 2025 · 0df0c85 · 0df0c85
1 parent 1a46a87
commit 0df0c85
Show file tree

Hide file tree

Showing 5 changed files with 4 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -171,7 +171,6 @@ jobs:
           ignore-unfixed: true
           vuln-type: 'os,library'
           output: './trivy-image-results.txt'
-          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
         env:
           TRIVY_SKIP_DB_UPDATE: true
           TRIVY_SKIP_JAVA_DB_UPDATE: true

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -138,6 +138,7 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
   notify:
+    if: inputs.dev == false
     needs: build
     uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
     with:

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM checkmarx/bash:5.2.37-r2
+FROM checkmarx/bash:5.2.37-r2-ef73fbf0f86d3b@sha256:ef73fbf0f86d3b0f1b9d0af383939a482f9ec0b0227fc5a330c70753f2e1da75
 USER nonroot
 
 COPY cx /app/bin/cx

diff --git a/internal/commands/scan.go b/internal/commands/scan.go
@@ -60,7 +60,7 @@ const (
 	containerVolumeFlag             = "-v"
 	containerNameFlag               = "--name"
 	containerRemove                 = "--rm"
-	containerImage                  = "checkmarx/kics:latest"
+	containerImage                  = "checkmarx/kics:v2.1.3"
 	containerScan                   = "scan"
 	containerScanPathFlag           = "-p"
 	containerScanPath               = "/path"

diff --git a/internal/commands/util/remediation.go b/internal/commands/util/remediation.go
@@ -27,7 +27,7 @@ const (
 	filesContainerVolume      = ":/files"
 	resultsContainerLocation  = "/kics/"
 	containerRemove           = "--rm"
-	containerImage            = "checkmarx/kics:latest"
+	containerImage            = "checkmarx/kics:v2.1.3"
 	containerNameFlag         = "--name"
 	remediateCommand          = "remediate"
 	resultsFlag               = "--results"