Workflow depends on unpinned GitHub Actions
TRY THIS RULE ID: github-actions/unpinned-actions
Language: YAML
Severity: Warning
Category: Security
Description Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA . You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot . Include a comment with the corresponding full-length SemVer tag for clarity:
- uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Non-Compliant Code Examples jobs :
test :
uses : ./.github/workflows/pr-test.yml
with :
repo : core
secrets : inherit
lint :
- name : Checkout repository
uses : actions/checkout
lint :
- name : Checkout repository
uses : actions/checkout@v2
lint :
- name : Checkout repository
uses : actions/myaction@v2
Compliant Code Examples name : kubehound-linter
on :
push :
branches :
- main
pull_request :
permissions :
contents : read
jobs :
linter :
runs-on : ubuntu-latest
steps :
- name : Harden Runner
uses : step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09
with :
egress-policy : block
allowed-endpoints : >
api.github.com:443
github.com:443
goreleaser.com:443
golang.org:443
go.dev:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
uploads.github.com:443
sum.golang.org:443
- name : Setup Golang
uses : actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
with :
go-version : "1.22"
- name : Checkout Git Repo
uses : actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
- name : golangci-lint
uses : golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc
with :
version : v1.56.2
args : ./...
Seamless integrations. Try Datadog Code Security
