Find more live information in Aikido here: https://app.aikido.dev/repositories/1742119?sidebarIssue=25238487&groupId=77741&sidebarIssueTask=4218758&sidebarTab=tasks
Scope
These issues affect the following code repository:
TLDR
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.
How to fix
When using 3rd party Actions in your GitHub Workflow, it is a best practice to pin the version by including the commit hash. You can retrieve the commit hash from the releases tab of the affected GitHub's Action repository. For example:
The commit hash for https://github.com/actions/setup-node/releases/v4.1.0 is 39370e3970a6d050c480ffad4ff0ed4d3fdee5af. When pinning, the Action's definition would be: - uses: actions/setup-node@39370e3.
Find more live information in Aikido here: https://app.aikido.dev/repositories/1742119?sidebarIssue=25238487&groupId=77741&sidebarIssueTask=4218758&sidebarTab=tasks
Scope
These issues affect the following code repository:
.github/workflows/ci.yml at line 16
.github/workflows/ci.yml at line 30
TLDR
A third-party GitHub Action was imported, and is not pinned via a hash. This leaves your CI/CD at risk for potential supply chain attacks, if the affected GitHub Action is compromised.
How to fix
When using 3rd party Actions in your GitHub Workflow, it is a best practice to pin the version by including the commit hash. You can retrieve the commit hash from the releases tab of the affected GitHub's Action repository. For example:
The commit hash for https://github.com/actions/setup-node/releases/v4.1.0 is 39370e3970a6d050c480ffad4ff0ed4d3fdee5af. When pinning, the Action's definition would be: - uses: actions/setup-node@39370e3.