Reference to a known-compromised action
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
The workflow references an action on a short list of published supply-chain compromises. Even a pinned tag is unsafe because the malicious code was pushed under existing tags.
Why it matters
This action appears on a list of published supply-chain compromises where malicious commits were pushed under existing tags to steal CI secrets. Because the bad code shipped under tags people already trusted, even a normal tag pin does not protect you. Any run that used it during the window should be treated as a secret exposure.
How to fix it
Remove or replace the flagged action. If you must keep it, pin to a specific commit SHA known to predate the compromise and audit that commit. Rotate every secret that any workflow using this action could read, since the compromise targeted secret exfiltration. Review run logs from the affected period.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo