Bug fixes and Salesforce tickets resolution(AST-146432)

.github/workflows/ci-tests.yml

@@ -133,7 +133,7 @@ jobs:
       - run: go version
       - run: go mod tidy
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #v9.2.0
+        uses: step-security/golangci-lint-action@1797facf9ea427614d729a4e9cab0fae1a7852d9 # v9.2.0
         with:
           skip-pkg-cache: true
           version: v2.11.3

.github/workflows/dependabot-auto-merge.yml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - name: Dependabot metadata
         id: metadata
-        uses: dependabot/fetch-metadata@bfac3fa29cc6834ca2e3fd659343da191a65d971 # v1.3.1
+        uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
         with:
           github-token: "${{ secrets.GH_TOKEN }}"
       - name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
           GITHUB_TOKEN: ${{secrets.GH_TOKEN}}
         run: gh pr merge --auto --merge "$PR_URL"
       - name: Auto approve dependabot PRs
-        uses: hmarr/auto-approve-action@7782c7e2bdf62b4d79bdcded8332808fd2f179cd #v2
+        uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0
         with:
           github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

.github/workflows/release.yml

@@ -40,6 +40,11 @@ jobs:
       COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
       COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
     steps:
+      - name: Install Harden Runner
+        uses: checkmarx/harden-runner-action@9af89fc71515a100421586dfdb3dc9c984fbf411 #v2.19.4
+        with:
+          use-policy-store: true
+          api-key: ${{ secrets.STEP_SECURITY_API_KEY }}
       - name: Checkout
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
         with:
@@ -81,14 +86,14 @@ jobs:
           docker info
       - name: Login to Docker Hub
         if: inputs.dev == false
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
+        uses: step-security/docker-login-action@870af644803bf9f204aed474adbad2958fec048b # v4.1.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Install Cosign
         if: inputs.dev == false
-        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 #v3.2.0
+        uses: step-security/cosign-installer@8c02650536457a1c912424ab6cb9734aa3eceb56 # v4.1.1
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2
@@ -115,7 +120,7 @@ jobs:
       - name: Echo GoReleaser Args
         run: echo ${{ env.GR_ARGS }}
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 #v3
+        uses: step-security/goreleaser-action@1472c46ac6e641f2b929f1a893354288b3a6b6b6 # v7.2.1
         with:
           version: v1.18.2
           args: ${{ env.GR_ARGS }}
@@ -159,10 +164,8 @@ jobs:
 
           if [ "${{ inputs.dev }}" = "true" ]; then
             gh release create "${common[@]}" --prerelease
-            gh release edit   "${{ inputs.tag }}" --draft=false
           else
             gh release create "${common[@]}"
-            gh release edit   "${{ inputs.tag }}" --draft=false --latest
           fi
 
       - name: Cleanup draft release on failure

Dockerfile

@@ -1,4 +1,4 @@
-FROM checkmarx/bash:5.3-r12-0e56cb6e000601@sha256:0e56cb6e000601d35ed11ddcc973ca268c431a176be53cdc31bc85f3208dc44a
+FROM checkmarx/bash:5.3-r12-f48dd8a45af577@sha256:f48dd8a45af5771e98cb5d56d204ada0e0dc045093ca3272b4c3dbe3f85e6e4f
 USER nonroot
 
 COPY cx /app/bin/cx

README.md

@@ -119,7 +119,7 @@ Checkmarx One Integrations Team
 
 Project Link: [https://github.com/Checkmarx/ast-cli](https://github.com/Checkmarx/ast-cli).
 
-© 2025 Checkmarx Ltd. All Rights Reserved.
+© 2026 Checkmarx Ltd. All Rights Reserved.
 
 
 [docker-shield]: https://img.shields.io/docker/pulls/checkmarx/ast-cli

cmd/main.go

@@ -9,6 +9,7 @@ import (
 	"syscall"
 
 	"github.com/checkmarx/ast-cli/internal/commands"
+	"github.com/checkmarx/ast-cli/internal/kicsshutdown"
 	"github.com/checkmarx/ast-cli/internal/logger"
 	"github.com/checkmarx/ast-cli/internal/params"
 	"github.com/checkmarx/ast-cli/internal/wrappers"
@@ -191,10 +192,6 @@ func exitListener() {
 }
 
 func signalHandler(signalChanel chan os.Signal) {
-	kicsRunArgs := []string{
-		killCommand,
-		viper.GetString(params.KicsContainerNameKey),
-	}
 	for {
 		s := <-signalChanel
 		switch s {
@@ -204,7 +201,12 @@ func signalHandler(signalChanel chan os.Signal) {
 				os.Exit(failureExitCode)
 			}
 			logger.PrintIfVerbose(string(out))
-			if strings.Contains(string(out), viper.GetString(params.KicsContainerNameKey)) {
+			kicsContainerName := kicsshutdown.GetKicsContainerName()
+			if kicsContainerName != "" && strings.Contains(string(out), kicsContainerName) {
+				kicsRunArgs := []string{
+					killCommand,
+					kicsContainerName,
+				}
 				out, err = exec.Command("docker", kicsRunArgs...).CombinedOutput()
 				logger.PrintIfVerbose(string(out))
 				if err != nil {