This CodeQL warning is great, but its language specifically says 3rd party actions, but my actions are getting warnings even when they're immutable and owned by my organization.
|
/** |
|
* @name Unpinned tag for a non-immutable Action in workflow |
|
* @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. |
|
* @kind problem |
|
* @security-severity 5.0 |
|
* @problem.severity warning |
|
* @precision medium |
|
* @id actions/unpinned-tag |
|
* @tags security |
|
* actions |
|
* external/cwe/cwe-829 |
|
*/ |
This CodeQL warning is great, but its language specifically says 3rd party actions, but my actions are getting warnings even when they're immutable and owned by my organization.
codeql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
Lines 1 to 12 in 28b6aa8