Third-party action not pinned to SHA¶
Rule ID |
|
|---|---|
Category |
security |
Severity |
high |
A third-party action (not from actions/ or github/) is used without pinning to a full commit SHA. This is a supply-chain attack vector.
Detection¶
pattern_matching — Regex or keyword matching on string field values.
Examples¶
Non-compliant:
jobs:
build:
steps:
- uses: some-org/some-action@v2
- uses: another/tool@main
Compliant:
jobs:
build:
steps:
- uses: some-org/some-action@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
- uses: another/tool@b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3
Fix: Pin third-party actions to a full 40-character commit SHA. Add a comment with the version tag for readability. Use Dependabot (ecosystem: github-actions) to keep SHA pins current.