Organization owned immutable actions raise warning about unpinned 3rd party actions tag #21076

New issue

Open

Labels

false-positive

@StephenHodgson

Description

@StephenHodgson

StephenHodgson

opened

on Dec 21, 2025

This CodeQL warning is great, but its language specifically says 3rd party actions, but my actions are getting warnings even when they're immutable and owned by my organization.

codeql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

Lines 1 to 12 in 28b6aa8

/**

* @name Unpinned tag for a non-immutable Action in workflow

* @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.

* @kind problem

* @security-severity 5.0

* @problem.severity warning

* @precision medium

* @id actions/unpinned-tag

* @tags security

* actions

* external/cwe/cwe-829

Metadata

Assignees

No one assigned

Labels

false-positive

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Organization owned immutable actions raise warning about unpinned 3rd party actions tag #21076

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions