For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cicd-github-unpinned-actions-full-length-commit-sha.md. A documentation index is available at /llms.txt.

Unpinned actions full length commit SHA

This product is not supported for your selected Datadog site. ().

Metadata

Id: cicd-github-unpinned-actions-full-length-commit-sha

Provider: GitHub

Platform: CICD

Severity: Low

Category: Supply-Chain

Learn More

Description

Steps that reference external GitHub Actions must be pinned to a full-length commit SHA to ensure the action’s code is immutable and to reduce supply-chain tampering or unexpected behavior from upstream updates. The rule inspects the uses property in step attributes and requires the value to end with @ followed by a 40-character lowercase hexadecimal commit SHA (pattern @[a-f0-9]{40}). Entries that do not match this pattern will be flagged. The check ignores local actions referenced with relative paths, starting with ./, and references beginning with actions/. When pinning, use a commit SHA from the action’s original repository so the pinned reference matches the intended source.

Secure example with a pinned action:

- name: Build and push
  uses: docker/build-push-action@e3b0c44298fc1c149afbf4c8996fb92427ae41e4

Compliant Code Examples

name: test-positive
on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches: 
      - master
jobs:
  test-positive:
    runs-on: ubuntu-latest
    steps:
    - name: PR comment
      uses: thollander/actions-comment-pull-request@b07c7f86be67002023e6cb13f57df3f21cdd3411
      with:
        comment_tag: title_check
        mode: recreate
        create_if_not_exists: true

name: test-positive
on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches:
      - master
jobs:
  test-positive:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Code
      uses: actions/checkout@v4
      with:
        persist-credentials: false

name: test-negative3
on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches:
      - master
jobs:
  test-negative3:
    runs-on: ubuntu-latest
    steps:
    - name: Local action
      uses: ./test.yml

Non-Compliant Code Examples

name: test-positive
on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches: 
      - master
jobs:
  test-positive:
    runs-on: ubuntu-latest
    steps:
    - name: PR comment
      uses: thollander/actions-comment-pull-request@v2
      with:
        comment_tag: title_check
        mode: recreate
        create_if_not_exists: true

name: Composite action with unpinned third-party action
description: Composite action that calls a third-party action by tag instead of SHA
runs:
  using: composite
  steps:
    - name: PR comment
      uses: thollander/actions-comment-pull-request@v2

name: test-positive
on:
  pull_request:
    types: [opened, synchronize, edited, reopened]
    branches: 
      - master
jobs:
  test-positive:
    uses: my-org/shared-github-actions/.github/workflows/pr-comment-thollander.yml@v3