GitHub Actions supply chain security
SHA-pin your actions. Audit their source for runtime fetches that bypass pinning. Score the result.
What it does
Section titled “What it does”pin— resolve action tag references (actions/checkout@v4) to full SHA-pinned references, preserving the tag as a comment.update— check SHA-pinned actions for newer releases and update them.audit— scan workflowrun:blocks and action source code for runtime fetch patterns that bypass pinning (shell, PowerShell, JavaScript, Python, Docker).score— compute a single posture grade (0–100, A–F) against a public, versioned rubric.
For static analysis of workflow files — template injection, excessive permissions, credential leaks — use zizmor. It’s excellent.
pinprick picks up where static analysis leaves off. SHA-pinning is table stakes, but a pinned action can still curl down releases/latest at runtime. pinprick keeps your pins fresh, audits the source code reachable through them, and gives you a single number to track over time.