Scanning alert proposes unsupported remediation

[jenstroeger]

Describe the bug

Here’s a scanning alert: https://github.com/jenstroeger/python-package-template/security/code-scanning/38

It suggests to use pip with a hash instead of a pinned version. Alas, pip install does not have such a feature. While I understand the intention of the alert, we have good reason to pin instead of using a hash (doesn’t work) or a lock file/requirements.txt (too much clutter).

Expected behavior

No alert, or at least a better message.

Additional context

I’m tempted to say that this alert is a false positive; probably not, in which case the messaging ought to be clarified.

[laurentsimon]

Hi, thanks for the report.

In you use case, the workflow has low privilege (pull_request trigger with only read permissions, no secrets available), so I agree scorecard should be handling this better. We have a tracking issue in #2018

Please let me know if this would address the problem.

@raghavkaul this would fall under the Impact field we described in #1874