Would be great if octoscan could check for unpinned GitHub Actions e.g., if a GitHub Action is used with a branch or tag reference, rather than a fixed commit.
That is one criteria by GitHub for hardening CIs: see Security hardening for GitHub Actions
Would be great if octoscan could check for unpinned GitHub Actions e.g., if a GitHub Action is used with a branch or tag reference, rather than a fixed commit.
That is one criteria by GitHub for hardening CIs: see Security hardening for GitHub Actions