From 1f0dc127e5358fe0dc50042bcb39c84f3f326575 Mon Sep 17 00:00:00 2001
From: Sunny Sethi <sunny.se@browserstack.com>
Date: Tue, 26 May 2026 14:28:41 +0530
Subject: [PATCH] fix(security): pin Semgrep CI container image by SHA digest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

F-004 / DEVA11Y-476 — The Semgrep workflow used an unpinned image tag
(CWE-829), enabling tag-poisoning attacks. Pin to SHA256 digest.
This is the chain-breaker for C-001 (DEVA11Y-485, CVSS 10.0).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/Semgrep.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/Semgrep.yml b/.github/workflows/Semgrep.yml
index 5398af9..a5a7a59 100644
--- a/.github/workflows/Semgrep.yml
+++ b/.github/workflows/Semgrep.yml
@@ -26,8 +26,9 @@ jobs:
     runs-on: ubuntu-latest
 
     container:
-      # A Docker image with Semgrep installed. Do not change this.
-      image: returntocorp/semgrep
+      # Pinned by digest for supply-chain integrity (DEVA11Y-476).
+      # To update: docker manifest inspect returntocorp/semgrep:latest
+      image: returntocorp/semgrep@sha256:f682953ce85e3725f4a4dd94bd7ad13e570bb6b2c7a8cf7c6e38a9eac89239b2
 
     # Skip any PR created by dependabot to avoid permission issues:
     if: (github.actor != 'dependabot[bot]')