External actions and tasks used in CI/CD pipelines should be pinned to a specific, reviewed version to prevent supply chain compromise.
Using a third-party action, workflow, or task without pinning it to a specific, reviewed version means your pipeline could silently start running code that you have not reviewed. The upstream repository owner — or an attacker who gains write access — can change the action or task at any time, and your pipeline will automatically execute those changes.
If an attacker gains control of a third-party action or task, they can modify it to run malicious code inside your pipeline. This can result in the exposure of pipeline secrets, the modification of build artifacts, or the compromise of your deployment environment.
Use the full commit hash as a reference when calling third-party actions and workflows. This is the only way to ensure that the code running in your pipeline is exactly the version you have reviewed.
The following example references a mutable tag (@main), which can change at any time without your knowledge.
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@main # Noncompliant
name: Example
on:
pull_request:
jobs:
example:
runs-on: ubuntu-latest
steps:
- uses: docs/example-action@b16d2601a6b948e2fb26f3772276581f31daa7cd