mobb-dev · jonathansantilli · Apr 8, 2026 · Mar 25, 2026
diff --git a/action.yml b/action.yml
@@ -24,116 +24,125 @@ outputs:
 runs:
   using: "composite"
   steps:
-    - uses: actions/setup-node@v3.6.0
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: 18
 
-    # This step extracts the Head SHA and stores it in the 'head-sha' variable                
-    - id: env 
+    - id: env
       name: Set Up Environment
       run: |
-
-        OUT=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.issue.pull_request.url }} | jq -r '.head.sha')
-        echo $OUT
-        echo "head-sha=$OUT" >> $GITHUB_OUTPUT
-        RUN_PATH=$GITHUB_SERVER_URL"/"$GITHUB_REPOSITORY"/actions/runs/"$GITHUB_RUN_ID
-        echo RUN_PATH: $RUN_PATH
-        echo "action-run-path=$RUN_PATH" >> $GITHUB_OUTPUT
+        OUT=$(curl --header "authorization: Bearer $GH_TOKEN" -s "$PR_API_URL" | jq -r '.head.sha')
+        echo "$OUT"
+        echo "head-sha=$OUT" >> "$GITHUB_OUTPUT"
+        RUN_PATH="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+        echo "RUN_PATH: $RUN_PATH"
+        echo "action-run-path=$RUN_PATH" >> "$GITHUB_OUTPUT"
 
-        #Getting the head-ref
-        GITHUB_HEAD_REF=$(curl --header 'authorization: Bearer ${{ inputs.github-token }}' -s ${{github.event.issue.pull_request.url }} | jq -r '.head.ref')
-        echo "github-head-ref=$GITHUB_HEAD_REF" >> $GITHUB_OUTPUT
-      shell: bash -l {0}
+        # Getting the head-ref
+        GITHUB_HEAD_REF=$(curl --header "authorization: Bearer $GH_TOKEN" -s "$PR_API_URL" | jq -r '.head.ref')
+        echo "github-head-ref=$GITHUB_HEAD_REF" >> "$GITHUB_OUTPUT"
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        PR_API_URL: ${{ github.event.issue.pull_request.url }}
 
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       with:
         ref: ${{ steps.env.outputs.github-head-ref }}
 
-
     # Displays status in the PR that this action is in 'pending' status
-    - uses: guibranco/github-status-action-v2@v1.1.13
+    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"
         state: "pending"
         target_url: ${{ steps.env.outputs.action-run-path }}
         sha: ${{steps.env.outputs.head-sha}}
-        description: "Mobb fix analysis in progress..." 
+        description: "Mobb fix analysis in progress..."
 
     # Extract the scan ID from the Checkmarx comment and use it to generate a Checkmarx json report
     - name: Get Checkmarx Report
       run: |
-        SCAN_ID=$(echo "$COMMENT" | sed -n 's/.*scans?id=\([^&]*\).*/\1/p' | head -n 1 )
+        SCAN_ID=$(echo "$COMMENT" | sed -n 's/.*scans?id=\([^&]*\).*/\1/p' | head -n 1)
         echo "Scan_ID: $SCAN_ID"
         wget https://github.com/Checkmarx/ast-cli/releases/download/2.1.4/ast-cli_linux_x64.tar.gz -O checkmarx.tar.gz
         tar -xf checkmarx.tar.gz
-        ./cx configure set --prop-name cx_apikey --prop-value ${{ inputs.cx-api-token }}
-        ./cx results show --output-name report --report-format json --scan-id $SCAN_ID --timeout ${{ inputs.cx-timeout }} --debug 
+        ./cx configure set --prop-name cx_apikey --prop-value "$CX_API_TOKEN"
+        ./cx results show --output-name report --report-format json --scan-id "$SCAN_ID" --timeout "$CX_TIMEOUT" --debug
         ls -l
-        env
+      shell: bash
       env:
         COMMENT: ${{ github.event.comment.body }}
-      shell: bash -l {0}
-
+        CX_API_TOKEN: ${{ inputs.cx-api-token }}
+        CX_TIMEOUT: ${{ inputs.cx-timeout }}
+
     - id: run-npx-mobb-dev
       name: Mobb - Generate Autofix
       run: |
         REPO=$(git remote get-url origin)
         REPO=${REPO%".git"}
-        SCANNER=checkmarx
-        PR_NUMBER=${{ github.event.issue.number }}
-        GITHUB_HEAD_REF=${{ steps.env.outputs.github-head-ref }}
-        COMMIT_HASH=$(git rev-parse $GITHUB_HEAD_REF) 
-        echo REPO: $REPO
-        echo GITHUB_HEAD_REF: $GITHUB_HEAD_REF
-        echo GITHUB_SHA: $GITHUB_SHA
-        echo COMMIT_HASH: $COMMIT_HASH
-        echo PR_NUMBER: $PR_NUMBER
-        OUT=$(npx --yes mobbdev@latest review  -r $REPO --ref $GITHUB_HEAD_REF --ch $COMMIT_HASH --api-key ${{ inputs.mobb-api-token }} -f report.json  --pr $PR_NUMBER --github-token ${{ inputs.github-token }} --scanner $SCANNER)
+        COMMIT_HASH=$(git rev-parse "$MOBB_HEAD_REF")
+        echo "REPO: $REPO"
+        echo "GITHUB_HEAD_REF: $MOBB_HEAD_REF"
+        echo "COMMIT_HASH: $COMMIT_HASH"
+        echo "PR_NUMBER: $MOBB_PR_NUMBER"
+
+        MOBB_ARGS=(
+          npx --yes mobbdev@latest review
+          -r "$REPO"
+          --ref "$MOBB_HEAD_REF"
+          --ch "$COMMIT_HASH"
+          --api-key "$MOBB_API_TOKEN"
+          -f report.json
+          --pr "$MOBB_PR_NUMBER"
+          --github-token "$GH_TOKEN"
+          --scanner checkmarx
+        )
+
+        OUT=$("${MOBB_ARGS[@]}")
         RETVAL=$?
         if [ $RETVAL -ne 0 ]; then
           exit $RETVAL
         fi
-        OUT=$(echo $OUT | tr '\n' ' ')
-        echo "fix-report-url=$OUT" >> $GITHUB_OUTPUT
+        OUT=$(echo "$OUT" | tr '\n' ' ')
+        echo "fix-report-url=$OUT" >> "$GITHUB_OUTPUT"
         echo "Mobb URL: $OUT"
-      shell: bash -l {0}
+      shell: bash
+      env:
+        MOBB_HEAD_REF: ${{ steps.env.outputs.github-head-ref }}
+        MOBB_PR_NUMBER: ${{ github.event.issue.number }}
+        MOBB_API_TOKEN: ${{ inputs.mobb-api-token }}
+        GH_TOKEN: ${{ inputs.github-token }}
 
     # Publish the Mobb fix report link in the PR
-    - uses: guibranco/github-status-action-v2@v1.1.13
+    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Report Link"
         state: "success"
         target_url: ${{ steps.run-npx-mobb-dev.outputs.fix-report-url }}
         sha: ${{steps.env.outputs.head-sha}}
-        description: "Click \"Details\" to access the full fix analysis report" 
-
+        description: "Click \"Details\" to access the full fix analysis report"
 
     # Displays status in the PR that this action is in 'complete' status
-    - uses: guibranco/github-status-action-v2@v1.1.13
+    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       if: success()
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"
         state: "success"
         target_url: ${{ steps.env.outputs.action-run-path }}
         sha: ${{steps.env.outputs.head-sha}}
-        description: "Mobb fix analysis completed. See comment in the PR for results" 
-
+        description: "Mobb fix analysis completed. See comment in the PR for results"
 
     # Displays status in the PR that this action is in 'failure' status
-    - uses: guibranco/github-status-action-v2@v1.1.13
+    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       if: failure()
       with:
         authToken: ${{ inputs.github-token }}
         context: "Mobb Fix Analysis"
         state: "failure"
         target_url: ${{ steps.env.outputs.action-run-path }}
         sha: ${{steps.env.outputs.head-sha}}
-        description: "Mobb fix analysis failed. Click \"Details\" to see console logs" 
-
-
-
-
+        description: "Mobb fix analysis failed. Click \"Details\" to see console logs"