Merge pull request #310 from jenkinsci/miryamFoifer/IACFixes

Fix Iac Vulnerabilities(AST-47970)

.github/workflows/ast-scan.yml

@@ -9,10 +9,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Checkmarx AST CLI Action
-        uses: checkmarx/ast-github-action@main
+        uses: checkmarx/ast-github-action@0b99738bf8a3c684087db9dccebb8114e90fa191 # main
         with:
           base_uri: ${{ secrets.BASE_URI }}
           cx_tenant: ${{ secrets.TENANT }}
           cx_client_id: ${{ secrets.CLIENT_ID }}
           cx_client_secret: ${{ secrets.CLIENT_SECRET }}
-          additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=1;sca-low=1"
+          additional_params: --tags phoenix --threshold "sast-high=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"

.github/workflows/cd.yml

@@ -50,7 +50,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           output_result: true
       - name: Release Drafter
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@3f0f87098bd6b5c5b9a36d49c41d998ea58f9348 #v6
         if: steps.verify-ci-status.outputs.result == 'success' && inputs.dev == false && inputs.tag != 'nightly'
         with:
           name: next

.github/workflows/dependabot-auto-merge.yml

@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN }}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@v4
+        uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 # v4
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}