iac/actions/gha-unpinned-action

Third-party action not pinned to a commit SHA

mediumGitHub Actionsiac-actions

What it detects

`uses: someone/action@main` (or @master / @v1) fetches whatever the maintainer's branch points at today. A compromised maintainer can replace the code without notice. Pin to a full 40-char commit SHA.

Remediation

Replace the tag/branch with the full SHA. Tools like `pinact` can automate this across a repo.

How it runs

Run against `.github/workflows/*.yml` files. Targets the published patterns behind real-world breaches (GhostAction, s1ngularity, tj-actions/changed-files).

Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.