A
100/100 First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
1
Score
100/100
LOW 1
Findings (1)
LOW
Unpinned GitHub Actions
L270 Detects GitHub Actions references using mutable branch names instead of pinned commit SHAs or tags
uses: aquasecurity/trivy-action@master FIX
Verify that build scripts and Makefiles do not download or run code from untrusted sources. Audit all build steps and pin any external tools used during the build process.
FP?
Likely FP if the build script only runs standard toolchain commands (e.g., cargo build, go build) without downloading external resources.