H3-2025-0013¶

GitHub Actions Unpinned Uses

Description¶

GitHub Actions workflows that reference actions without pinning them to a specific branch, tag, or SHA can lead to unintended code execution.

Impact¶

Since these actions fetch the latest code from the repository's default branch, any changes to that branch, including malicious updates, will be automatically incorporated into the workflow, potentially resulting in unauthorized access.

References¶

• Zizmor Documentation
• CWE-829: Inclusion of Functionality from Untrusted Control Sphere