Ensure not to use the 'latest' tag for any GitHub actions image
Using a continuously changed tag version can result in unexpected software behavior, a supply chain attack vector, and an unrecoverable state.
Risk Level: medium
Platform: Github
Spectral Rule ID: GHAC001
REMEDIATION
Always use an exact version lock.
Examples:
- use: [email protected]
- use: [email protected]
Bad examples:
- use: ubuntu:@atest
- use: npm@master
- use: alpine
Read more:
- TBD
Updated over 1 year ago