Update Semgrep workflow to use a specific image digest for enhanced security and consistency in CI scans. This change ensures that the same version of Semgrep is used across different runs, improving reliability in the scanning process.

Author: SeeWhatsOn

.github/workflows/semgrep.yml

@@ -36,14 +36,14 @@ jobs:
               -e SEMGREP_APP_TOKEN \
               -v "$PWD:/src" \
               -w /src \
-              semgrep/semgrep:latest \
+              semgrep/semgrep@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48 \
               semgrep ci --sarif --sarif-output=reports/semgrep.sarif --no-suppress-errors
           else
             echo "SEMGREP_APP_TOKEN not set; running semgrep scan with p/ci rules"
             docker run --rm \
               -v "$PWD:/src" \
               -w /src \
-              semgrep/semgrep:latest \
+              semgrep/semgrep@sha256:326e5f41cc972bb423b764a14febbb62bbad29ee1c01820805d077dd868fea48 \
               semgrep scan --config p/ci --sarif --sarif-output=reports/semgrep.sarif --error
           fi
         env: