[StepSecurity] Apply security best practices

[stepsecurity-app]

Summary

This pull request has been generated by StepSecurity as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements.

Security Fixes

Pinned Dependencies

Pinning GitHub Actions to specific versions or commit SHAs ensures that your workflows remain consistent and secure.
Unpinned actions can lead to unexpected changes or vulnerabilities caused by upstream updates.

• GitHub Security Guide
• The Open Source Security Foundation (OpenSSF) Security Guide

StepSecurity Maintained Actions

Risky GitHub Actions can expose your project to potential security risks. Risky actions have been replaced with StepSecurity maintained actions, that are secure drop-in replacements.

• StepSecurity Maintained Actions

Feedback

For bug reports, feature requests, and general feedback; please create an issue in step-security/secure-repo or contact us via our website.

[cx-shaked-karta]

Checkmarx One – Scan Summary & Details – 356f98ad-a3dc-4c84-b171-1b90e064f7b4

---

New Issues (8)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-39832	Go-golang.org/x/crypto-v0.45.0	details Description: When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destinat... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		CVE-2026-39834	Go-golang.org/x/crypto-v0.45.0	details Description: When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3		CVE-2026-42508	Go-golang.org/x/crypto-v0.45.0	details Description: Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are che... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2026-39831	Go-golang.org/x/crypto-v0.45.0	details Recommended version: v0.51.0 Description: The "Verify()" method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Prese... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5		CVE-2026-46597	Go-golang.org/x/crypto-v0.45.0	details Description: An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. This vulnerabilit... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-39827	Go-golang.org/x/crypto-v0.45.0	details Recommended version: v0.51.0 Description: An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-39828	Go-golang.org/x/crypto-v0.45.0	details Recommended version: v0.51.0 Description: When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potent... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-39833	Go-golang.org/x/crypto-v0.45.0	details Recommended version: v0.51.0 Description: The in-memory keyring returned by "NewKeyring()" silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would s... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR