Workflow depends on unpinned GitHub Actions

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: github-actions/unpinned-actions

Language: YAML

Severity: Warning

Category: Security

Description

Pin GitHub Actions by commit hash to ensure supply chain security.

Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:

      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

Non-Compliant Code Examples

jobs:
  test:
    uses: ./.github/workflows/pr-test.yml
    with:
      repo: core
    secrets: inherit
  lint:
    - name: Checkout repository
      uses: actions/checkout
  lint:
    - name: Checkout repository
      uses: actions/checkout@v2
  lint:
    - name: Checkout repository
      uses: actions/myaction@v2

Compliant Code Examples

name: kubehound-linter

on:
  push:
    branches:
      - main
  pull_request:

permissions:
  contents: read

jobs:
  linter:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            goreleaser.com:443
            golang.org:443
            go.dev:443
            objects.githubusercontent.com:443
            proxy.golang.org:443
            storage.googleapis.com:443
            uploads.github.com:443
            sum.golang.org:443            

      - name: Setup Golang
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
        with:
          go-version: "1.22"

      - name: Checkout Git Repo
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

      - name: golangci-lint
        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
        with:
          version: v1.56.2
          args: ./...
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Integraciones sin problemas. Prueba Datadog Code Security

Datadog Code Security
PREVIEWING: brett.blue/post-reorg-tweaks