From 0fd8744d800be6cd032aeb2616deb8ab3e54867f Mon Sep 17 00:00:00 2001
From: Borislav Grigorov <11405770+bsgrigorov@users.noreply.github.com>
Date: Wed, 22 Apr 2026 21:33:55 -0700
Subject: [PATCH] ci: pin KICS and wolfi-base by digest, fix config_path arg

- Multistage FROM uses checkmarx/kics:v2.1.20@sha256 and
  cgr.dev/chainguard/wolfi-base@sha256 (wolfi has no semver tag; digest only)
- runs.args: use inputs.config_path (matches declared input)

Made-with: Cursor
---
 Dockerfile | 16 ++++++++--------
 action.yml |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 52117f4..37c32a6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,13 @@
-FROM checkmarx/kics:v2.1.20 as kics-env
- 
-FROM cgr.dev/chainguard/wolfi-base:latest
- 
+FROM docker.io/checkmarx/kics:v2.1.20@sha256:3e5a268eb8adda2e5a483c9359ddfc4cd520ab856a7076dc0b1d8784a37e2602 AS kics-env
+
+FROM cgr.dev/chainguard/wolfi-base@sha256:70750dfde91b4c5804b4df269121253fbdff73a9122925c7acc067aa33f9f55e
+
 COPY --from=kics-env /app /app
- 
+
 COPY ./entrypoint.sh /entrypoint.sh
- 
+
 RUN chmod +x /entrypoint.sh
- 
+
 COPY ./ /app
- 
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/action.yml b/action.yml
index 58b0223..d471909 100644
--- a/action.yml
+++ b/action.yml
@@ -125,7 +125,7 @@ runs:
     - ${{ inputs.fail_on }}
     - ${{ inputs.timeout }}
     - ${{ inputs.profiling }}
-    - ${{ inputs.config }}
+    - ${{ inputs.config_path }}
     - ${{ inputs.platform_type }}
     - ${{ inputs.exclude_paths }}
     - ${{ inputs.exclude_queries }}