You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
message: 'Referencing an action to run by git tag may be risky, due to the mutability of git tags. If
possible, prefer to use full git SHAs instead. More information: https://google.github.io/github-team/semgrep-rules/actions-need-pinned-commits.html'
metadata:
category: best-practice
technology:
- github-actions
patterns:
- pattern-either:
- patterns:
- pattern-inside: "{steps: ...}"
# Match all uses patterns that don't contain the full SHA1 hash. Yes, short hashes exist but suffer from a similar (but slightly harder) attack vector by purposely crafting a colliding SHA.