Action pinned to a mutable branch
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A workflow references an action by a branch (@main, @master, @develop). The branch tip moves with every push to that action, so the code your CI runs can change without any change on your side.
Why it matters
Pinning an action to @main or @master means every workflow run pulls whatever code sits at the tip of that branch. A maintainer, or an attacker who compromises the action repo, can change what runs in your pipeline with no change on your side, and your CI has your repository token and secrets in scope.
How to fix it
Pin the action to a full 40-character commit SHA and add a trailing comment with the human-readable version, for example uses: owner/action@a1b2c3... # v4.1.0. Use Dependabot or Renovate to bump the SHA over time. Keep first-party actions/* on a SHA too if you want the strongest guarantee.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo