fix broken references in actions

.github/workflows/build.yaml

@@ -30,19 +30,19 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
         with:
           token: ${{ secrets.PAT }}
-      - uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v3
+      - uses: actions/setup-node@v3
         with:
           # needed for terraform-setup https://github.com/hashicorp/setup-terraform/issues/84
           node-version: '16'
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.19
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1  # v2
+        uses: hashicorp/setup-terraform@v2
         with:
           terraform_version: 0.14.5
       - name: Terraform Init
@@ -57,11 +57,11 @@ jobs:
           go build -v && go test ./src/... -covermode=count -coverprofile=coverage.out
           go tool cover -func=coverage.out -o=coverage.out
       - name: Go Coverage Badge  # Pass the `coverage.out` output to this action
-        uses: tj-actions/coverage-badge-go@7f447a2281e6c95d57526e53b2e800dfb3c07425  # v2
+        uses: tj-actions/coverage-badge-go@v2
         with:
           filename: coverage.out
       - name: Verify Changed files
-        uses: tj-actions/verify-changed-files@7f1b21ceb7ef533b97b46e89e2f882ee5cb17ae0  # v16
+        uses: tj-actions/verify-changed-files@v16
         id: verify-changed-files
         with:
           files: README.md
@@ -86,25 +86,25 @@ jobs:
       pull-requests: write
     steps:
       - name: Check out code into the Go module directory
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+        uses: actions/checkout@v3
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b  # v2
+        uses: reviewdog/action-golangci-lint@v2
         with:
           tool_name: golangci-lint
           fail_on_error: true
           golangci_lint_flags: "--skip-dirs tests/yor_plugins"
   integration-tests:
     runs-on: [self-hosted, public, linux, x64]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.19
       - name: build
         run: go build
       - name: Clone Terragoat - vulnerable terraform
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+        uses: actions/checkout@v3
         with:
           repository: bridgecrewio/terragoat  # clone https://github.com/bridgecrewio/terragoat/
           fetch-depth: 0
@@ -130,25 +130,25 @@ jobs:
     steps:
       - name: Wait for coverage to update
         run: sleep 10s
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
         with:
           ref: main
       - name: version
-        uses: anothrNick/github-tag-action@a2c70ae13a881faf2b4953baaa9e49731997ab36  # v1
+        uses: anothrNick/github-tag-action@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           WITH_V: false
           RELEASE_BRANCHES: main
           DEFAULT_BUMP: patch
         id: version
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: 1.19
       - name: Git Fetch Repo
         run: |
           git fetch
-      - uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b  # v4
+      - uses: goreleaser/goreleaser-action@v4
         name: goreleaser
         with:
           version: latest
@@ -162,17 +162,17 @@ jobs:
     needs:
       - create-release
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
       - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@d0321869e187cfd3124343ea2b39b1db31f89685  # v5
+        uses: elgohr/Publish-Docker-Github-Action@v5
         with:
           name: bridgecrew/yor
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           buildoptions: "--no-cache"
           tags: "latest,${{ needs.create-release.outputs.version }}"
       - name: Update Docker Hub README
-        uses: peter-evans/dockerhub-description@dc67fad7001ef9e8e3c124cb7a64e16d0a63d864  # v3
+        uses: peter-evans/dockerhub-description@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}

.github/workflows/codeql-analysis.yml

@@ -34,17 +34,17 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+        uses: actions/checkout@v3
       - name: Set up Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: '1.19' # To match codeql go version
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d  # v2
+        uses: github/codeql-action/init@v2
         with:
           languages: go
           config-file: ./.github/codeql-config.yml
       - name: Build
         run: go build
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d  # v2
+        uses: github/codeql-action/analyze@v2

.github/workflows/govulncheck.yml

@@ -0,0 +1,63 @@
+name: govulncheck
+
+# Runs Go's official vulnerability scanner against the codebase + stdlib.
+# Findings are uploaded as a SARIF artifact and surfaced under the GitHub
+# "Security" tab. The job is intentionally non-blocking (`continue-on-error`)
+# so that the pre-existing, intentionally-deferred dependency CVEs documented
+# in SECURITY.md do not break CI. Stdlib regressions become visible the moment
+# they are reported by the scanner.
+
+on:
+  pull_request:
+    branches:
+      - main
+  push:
+    branches:
+      - main
+  schedule:
+    # Re-scan weekly so newly-published CVEs against pinned versions are surfaced.
+    - cron: '0 6 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  govulncheck:
+    name: govulncheck
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          # Must contain the patches we are validating against; keep in sync
+          # with .go-version and the rest of the CI matrix.
+          go-version-file: '.go-version'
+
+      - name: Install govulncheck
+        run: go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: Run govulncheck (text report)
+        run: govulncheck ./... || true
+
+      - name: Run govulncheck (SARIF report)
+        run: |
+          govulncheck -format sarif ./... > govulncheck.sarif || true
+
+      - name: Upload SARIF to GitHub code-scanning
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: govulncheck.sarif
+          category: govulncheck
+
+      - name: Upload raw report as artifact
+        uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: govulncheck-report
+          path: govulncheck.sarif
+          retention-days: 30

.github/workflows/security-shared.yml

@@ -16,27 +16,27 @@ jobs:
     env:
       GO111MODULE: on
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a  # v2
+        uses: securego/gosec@v2
         with:
           args: './...'
   trufflehog-secrets:
     runs-on: [self-hosted, public, linux, x64]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: detect secrets
-        uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc  # v0.9
+        uses: edplato/trufflehog-actions-scan@v0
         with:
           scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
   checkov-secrets:
     runs-on: [self-hosted, public, linux, x64]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Scan for secrets

.github/workflows/test.yaml

@@ -15,9 +15,9 @@ jobs:
         go: [ 1.19 ]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
       - name: Prepare external plugin tests
@@ -36,9 +36,9 @@ jobs:
     steps:
       - name: print hostname
         run: hostname
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
       - name: golangci-lint
-        uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b  # v2
+        uses: reviewdog/action-golangci-lint@v2
         with:
           tool_name: golangci-lint
           fail_on_error: true
@@ -50,15 +50,15 @@ jobs:
         go: [ 1.19 ]
     runs-on: [self-hosted, public, linux, x64]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+      - uses: actions/checkout@v3
       - name: Install Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491  # v4
+        uses: actions/setup-go@v5
         with:
           go-version: ${{ matrix.go }}
       - name: build
         run: go build
       - name: Clone Terragoat - vulnerable terraform
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v3
+        uses: actions/checkout@v3
         with:
           repository: bridgecrewio/terragoat  # clone https://github.com/bridgecrewio/terragoat/
           fetch-depth: 0