From 5f7bf4489ae422ceafcdf5389255afae753a3109 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Thu, 11 Jan 2024 16:19:14 +0000
Subject: [PATCH 1/2] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/codeql.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 26f950b142..627c139e47 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -101,7 +101,7 @@ jobs:
           output: sarif-results
 
       - name: filter-sarif
-        uses: advanced-security/filter-sarif@v1
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1
         with:
           # filter out all dependencies of map
           patterns: |
@@ -110,7 +110,7 @@ jobs:
           output: sarif-results/${{ matrix.language }}.sarif
   
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@8b7fcbfac2aae0e6c24d9f9ebd5830b1290b18e4 # v2.23.0
         with:
           sarif_file: sarif-results/${{ matrix.language }}.sarif
   

From 13243351eb469eed9484d936ff74d99f826a7f96 Mon Sep 17 00:00:00 2001
From: berndgassmann <bernd.gassmann@intel.com>
Date: Thu, 11 Jan 2024 17:20:15 +0100
Subject: [PATCH 2/2] Fix filtering SARIF

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 627c139e47..cdcd8b20f8 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -105,7 +105,7 @@ jobs:
         with:
           # filter out all dependencies of map
           patterns: |
-            -dependencies/map/dependencies/*
+            -dependencies/map/dependencies/**/*
           input: sarif-results/${{ matrix.language }}.sarif
           output: sarif-results/${{ matrix.language }}.sarif