Medium
Semgrep
Bug
app.infra.semgrep.firmcode.infra.github-actions.unpinned-action
.github/workflows/firmcode-rich-report-smoke.yml
firmcloudapps/firmcode-tester / PR #66
10
Open
Not posted
May 24, 12:32 AM
View finding detail
Explanation
GitHub Action is not pinned to a full commit SHA. Pin third-party actions to a reviewed commit to reduce supply-chain drift.
Evidence
{
"path": ".github/workflows/firmcode-rich-report-smoke.yml",
"source": "semgrep",
"excerpt": "requires login",
"lineRange": {
"endLine": 10,
"startLine": 10
},
"artifactId": "app.infra.semgrep.firmcode.infra.github-actions.unpinned-action"
}Suggested fix
No suggested fix was stored for this finding.