GitHub Actions workflows can leverage actions and reusable workflows created by others. These external actions can be used to perform various
tasks, such as checking out code, building applications, and deploying artifacts. If your workflow uses a third-party action or a workflow without
referencing to a specific commit hash, you are at risk of pulling in code that you have not reviewed.
Ask Yourself Whether
- You trust the author of this third-party action or workflow
- You accept that this third-party action or workflow could change at any time
There is a risk if you answered no to any of those questions.
Recommended Secure Coding Practices
It is recommended to use the complete commit hash to pin the version when using third-party actions and workflows. This is the only way to ensure
that the code you are pulling into your action is the one you have reviewed.
Sensitive Code Example
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@main # Sensitive
Compliant Solution
Use the full commit hash as a reference to pin the version.
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@b16d2601a6b948e2fb26f3772276581f31daa7cd
See
Documentation
Standards
Articles & blog posts
