From 4233f7ff8e894f381ceb3d60496b9806535ca07c Mon Sep 17 00:00:00 2001
From: Guy Owen <guy.owen@dpc.vic.gov.au>
Date: Tue, 10 Sep 2024 14:33:03 +1000
Subject: [PATCH] [291] Added checkout to reference sha and commit.

---
 .github/workflows/vulnerability-scan.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
index 362465be..54f440f1 100644
--- a/.github/workflows/vulnerability-scan.yml
+++ b/.github/workflows/vulnerability-scan.yml
@@ -41,6 +41,11 @@ jobs:
     strategy:
       matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
     steps:
+      - name: checkout
+        id: checkout
+        uses: actions/checkout@main
+        with:
+          ref: ${{ github.event.inputs.tag }}
       - name: Scan for vulnerabilities
         id: scan
         uses: crazy-max/ghaction-container-scan@v3
@@ -52,4 +57,5 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
-          ref: ${{ github.event.inputs.tag }}
+          ref: ${{ steps.checkout.outputs.ref }}
+          sha: ${{ steps.checkout.outputs.commit }}