GHA-SEC005Non-specific Version Tags
Problem Statement
Version tags like @v1 or @main may lead to pulling unexpected updates.
Vulnerability
Unexpected Behavior or Compromise
Code Examples
Insecure Implementation
- uses: actions/setup-node@v1Secure Implementation
- uses: actions/setup-node@v1.4.2Remediation Steps
- Pin actions to specific semantic versions or commit SHAs.