Third-party action not pinned to SHA
====================================

.. list-table::
   :stub-columns: 1
   :widths: 20 80

   * - Rule ID
     - ``untrusted_actions``
   * - Category
     - security
   * - Severity
     - high

A third-party action (not from actions/ or github/) is used without pinning to a full commit SHA. This is a supply-chain attack vector.

Detection
---------

``pattern_matching`` — Regex or keyword matching on string field values.

Examples
--------

**Non-compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: some-org/some-action@v2
         - uses: another/tool@main

**Compliant:**

.. code-block:: yaml

   jobs:
     build:
       steps:
         - uses: some-org/some-action@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
         - uses: another/tool@b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3

**Fix**: Pin third-party actions to a full 40-character commit SHA. Add a comment with the version tag for readability. Use Dependabot (ecosystem: github-actions) to keep SHA pins current.