shellcheck_run_steps: Pin upstream shellcheck container by SHA

dannf · dannf · commit 1d2870ba13c4 · 2025-07-30T22:35:53.000-06:00
We're using an upstream container until we have a guarded one. Let's
pin it by SHA while we're doing that.

Signed-off-by: dann frazier &lt;dann.frazier@chainguard.dev&gt;
diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py
@@ -13,6 +13,9 @@
 
 yaml = ruamel.yaml.YAML(typ="safe")
 
+# Reference by SHA for safety
+DefaultShellCheckImage = "koalaman/shellcheck@sha256:652a5a714dc2f5f97e36f565d4f7d2322fea376734f3ec1b04ed54ce2a0b124f"
+
 
 def do_shellcheck(
     melange_cfg: Mapping[str, Any],
@@ -79,7 +82,7 @@ def main(argv: Sequence[str] | None = None) -> int:
             f"--volume={os.getcwd()}:/mnt",
             "--rm",
             "-it",
-            "koalaman/shellcheck:latest",
+            DefaultShellCheckImage,
         ],
         nargs="*",
         help="shellcheck command",
