Summary
All GitHub Actions workflows use mutable major-version tags (e.g. actions/checkout@v3, docker/login-action@v2) instead of immutable commit SHAs. If any of those action repositories are compromised, malicious code could be injected into CI runs silently.
Affected Files
.github/workflows/publish.yml.github/workflows/development.yml- Any other workflow files
Examples of Vulnerable Pins
- uses: actions/checkout@v3 # mutable
- uses: docker/setup-qemu-action@v2 # mutable
- uses: aws-actions/configure-aws-credentials@v1 # mutable
- uses: docker/login-action@v2 # mutable
Recommendation
Pin every action to an exact commit SHA:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v3.4.0
Use a tool like pin-github-action or Dependabot's github-actions ecosystem to keep SHAs current.
Severity
High — Supply chain attack vector; silent code injection into CI/CD pipeline.
Found by automated security audit.
Summary
All GitHub Actions workflows use mutable major-version tags (e.g.
actions/checkout@v3,docker/login-action@v2) instead of immutable commit SHAs. If any of those action repositories are compromised, malicious code could be injected into CI runs silently.Affected Files
.github/workflows/publish.yml.github/workflows/development.ymlExamples of Vulnerable Pins
Recommendation
Pin every action to an exact commit SHA:
Use a tool like pin-github-action or Dependabot's
github-actionsecosystem to keep SHAs current.Severity
High — Supply chain attack vector; silent code injection into CI/CD pipeline.
Found by automated security audit.