This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to ensure that GitHub Actions are pinned to full length commit SHAs. This does not fail for referenced actions in the same repository when using the ./path/to/dir syntax. For more information, see "using third-party actions."

Create a workflow .yml file in your .github/workflows directory. An example workflow is available below. For more information, reference the GitHub Help Documentation for Creating a workflow file.

For more information on these inputs, see the Workflow syntax for GitHub Actions

• allowlist: The list of owners or repositories that will be ignored and will not throw an error. Each entry must be on a new line. Optional. Default: `` (deny all). For example,

  allowlist: |
    aws-actions/          # Trust all actions published by aws-actions
    docker/login-action   # Trust docker's login-action only

• dry_run: Set to true to show warnings instead of failing. Optional. Default: false (fail on any error)

None. This action will throw an error if it finds any GitHub Action that is not pinned to a full length commit SHAs.

Note: Only the first error encountered will be reported.

Ideally, set this up as an initial job for your workflows. For example:

on: push
name: Continuous Integration
jobs:
  harden_security:
    name: Harden Security
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
      - name: Ensure SHA pinned actions
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@v2 # Replace this
        with:
          allowlist: |
            aws-actions/
            docker/login-action

See the contributing guide for detailed instructions on how to get started with our project.

The scripts and documentation in this project are released under the MIT License