Reliance on Insufficiently Trustworthy Component
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1357: Reliance on Insufficiently Trustworthy Component |
| OWASP | A06:2021 - Vulnerable and Outdated Components |
| Confidence Level | High |
| Impact Level | Low |
| Likelihood Level | Low |
Description#
A GitHub Action from a third-party repository is referenced without being pinned to a specific commit SHA. This means the action could change unexpectedly if the repository is updated or compromised.
Impact#
If the referenced action is modified by its author or a bad actor, your workflow could automatically run untrusted or malicious code. This can lead to leaks of secrets, unauthorized access, or compromise of your CI/CD pipeline and related infrastructure.