.github/workflows/deploy.yml
Receipt demoybey · 2026-05-15 20:28 UTC
76/100
3 findings
Critical
0
High
3
flagged
Medium
0
Low
0
Info
0
- HIGHSuspiciouspattern matchcp-iac-gha-unpinned-action· .github/workflows/deploy.yml:10
GitHub Action pinned to mutable ref (@main, @master, @HEAD)
Actions pinned to branch names can be silently updated to malicious code. A supply-chain attack on the action repo immediately affects your workflow.
Fix: Pin to an immutable commit SHA: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - HIGHSuspiciouspattern matchcp-iac-gha-unpinned-action· .github/workflows/deploy.yml:11
GitHub Action pinned to mutable ref (@main, @master, @HEAD)
Actions pinned to branch names can be silently updated to malicious code. A supply-chain attack on the action repo immediately affects your workflow.
Fix: Pin to an immutable commit SHA: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - HIGHSuspiciouspattern matchcp-hack-bybit-unpinned-action-checkout· .github/workflows/deploy.yml:10
Bybit hack pattern — unpinned GitHub Action handling deploy/release
A workflow that deploys frontend bundles or release artifacts uses a third-party action pinned to a mutable ref (@main, @master, or a version tag instead of a commit SHA). This is the supply-chain vector behind the $1.46B Bybit hack (Feb 2025): the deploy pipeline trusts a moving target. An attacker that compromises the action's repo can swap your build output.
Fix: Pin every third-party action to a full 40-char commit SHA (e.g. `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`). Use Dependabot or Renovate to keep SHAs up to date with review.
Share this receipt
https://elytrasec.io/r/demoybey
Receipts are snapshots — findings may change as the engine improves.
Want a deeper scan? Run via x402 API or re-scan in the playground.