Unpinned Actions Full Length Commit SHA @ /.github/workflows/main.yml

[msant262]

Checkmarx (IaC-Security): Unpinned Actions Full Length Commit SHA
Checkmarx Project: Nova-8/Damm-Vulnerable-CSharp-API
Repository URL: https://github.com/Nova-8/Damm-Vulnerable-CSharp-API
Branch: master
Scan ID: 2f22541b-da6c-459f-9285-99da61e0ed7d

---

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Locations:

Result 1:
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
    File: /.github/workflows/main.yml[13,0]
    Expected value: Action pinned to a full length commit SHA.
    Actual value: Action is not pinned to a full length commit SHA.
    Review result in Checkmarx One: Unpinned Actions Full Length Commit SHA