This product is not supported for your selected Datadog site. ().
Metadata
ID:github-actions/unpinned-actions
Language: YAML
Severity: Warning
Category: Security
Description
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity: