_⚠️ Potential issue_ | _🟠 Major_

[naheel0]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check if the file exists and read its content
if [ -f ".github/workflows/codeql.yml" ]; then
  echo "=== File content with line numbers ==="
  cat -n ".github/workflows/codeql.yml"
else
  echo "File not found"
  exit 1
fi

Repository: BeyteFlow/errlens

Length of output: 1181

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Run the verification script from the review comment to find unpinned actions
echo "=== Checking for unpinned actions ==="
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[a-f0-9]{40})\b)' .github/workflows/*.yml || echo "No unpinned actions found"

Repository: BeyteFlow/errlens

Length of output: 465

---

🌐 Web query:

GitHub Actions security best practices SHA pinning supply chain security

💡 Result:

GitHub Actions supply-chain security best practices (with SHA pinning)

1) Pin every third‑party action to a full commit SHA

• Use an immutable reference in uses:—a full-length commit SHA is the most reliable way to avoid a tag/branch later being moved to malicious code. Add a comment with the human version for readability (and to help Dependabot updates). [1]
• Example:

  - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

  [1]

2) Prefer SHAs that correspond to a tagged release you trust

• Choose SHAs from the action’s official repo (not a fork) and ideally those that correspond to a released version so updates are trackable. [1]

3) Watch out for “unpinnable” behavior (mutable dependencies)

• SHA pinning helps, but an action can still be effectively mutable if it pulls in unpinned content at runtime (e.g., downloads scripts, uses floating container image tags, etc.). Review action source and avoid actions with mutable dependencies. [1]
• Security research highlights how “unpinnable actions” can still enable supply-chain attacks despite SHA pinning if the action fetches changing code/assets. [2]

4) Enforce SHA pinning (org/enterprise policy)

• GitHub Actions policies can require SHA-pinned actions (workflows fail if an action isn’t pinned) and can also block specific actions/versions to respond quickly to known-bad dependencies. [3]

5) Minimize token permissions (least privilege)

• Set explicit permissions: for GITHUB_TOKEN at workflow/job level, granting only what’s required. [4]

6) Prefer short‑lived cloud credentials via OIDC (avoid long‑lived secrets)

• Use GitHub Actions OpenID Connect to get short-lived tokens from your cloud provider instead of storing long-lived cloud secrets in GitHub. [5]

7) Prevent workflow/script injection

• Don’t place untrusted input (issue titles, PR body text, branch names, etc.) directly into executable contexts (run: scripts, unsafe expression usage). This is called out as a key hardening item. [1]

Sources: GitHub Well‑Architected Actions security guidance [1], GitHub Docs on GITHUB_TOKEN permissions [4] and OIDC hardening [5], GitHub Changelog on SHA pinning enforcement and blocking [3], and security research on “unpinnable actions” [2].

---

Pin all GitHub Actions to full commit SHAs.

Lines 27, 30, 35, and 38 use mutable version tags (@v4, @v3). Pinning to 40-character commit SHAs prevents tag takeover attacks and ensures reproducible, verifiable builds.

🔒 Suggested hardening diff

-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      - name: Checkout repository
        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3
        with:
          category: "/language:${{ matrix.language }}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/codeql.yml around lines 26 - 40, Replace the mutable
action tags with pinned 40-character commit SHAs for each GitHub Action used:
actions/checkout, github/codeql-action/init, github/codeql-action/autobuild, and
github/codeql-action/analyze; locate the invocations of those actions in the
workflow (the steps named "Checkout repository", "Initialize CodeQL",
"Autobuild", and "Perform CodeQL Analysis") and update the uses: value from e.g.
actions/checkout@v4 to the full commit SHA for the corresponding release,
ensuring each uses: entry references the exact commit SHA (40 chars) so the
workflow is immutable and reproducible.

Originally posted by @coderabbitai[bot] in #9 (comment)