Skip to main content

GA-C008: Third-party action without SHA pinning

Warning Security

Why This Matters

Third-party actions from organizations outside `actions/` and `github/` have a higher supply chain risk. A compromised tag or branch ref can inject malicious code into your workflow. Pin third-party actions to a full 40-character commit SHA to ensure immutable, auditable builds.

How to Fix

Pin third-party action to full commit SHA

Before (incorrect)

uses: third-party/action@v2

After (correct)

uses: third-party/action@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 # v2

Rule Details

Rule Code
GA-C008
Severity
Warning
Category
Security

Related Rules

GA-L011 Error

Credentials leak
GA-L013 Error

Permissions error
GA-C001 Warning

Unpinned action version
GA-C002 Warning

Mutable action tag
GA-C003 Warning

Overly permissive permissions