Open
Description
Describe the issue
Github Actions should pin the actions in workflows to SHA to prevent supply chain attacks such as this:
https://www.wiz.io/blog/github-action-tj-actions-changed-files-supply-chain-attack-cve-2025-30066
Examples
Please share an example code sample (in the IaC of your choice) + the expected outcomes.
Workflow using version pinning
name: Example version pinning
permissions:
contents: read
on:
pull_request:
jobs:
checkoutCode:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4Desired result
Check: CKV_GHA_XX: "Ensure Github Action sources use a commit hash"Additional context
A similar check exists for terraform:
https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/module/generic/RevisionHash.py#L12