Problem
PyCQA/bandit-action itself can be pinned to a full-length commit SHA (e.g.
PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f), but the internal dependencies it references are pinned only to mutable version tags, not full-length commit SHAs:
actions/setup-python@v6actions/checkout@v6github/codeql-action/upload-sarif@v4
Impact
Many organisations and enterprises enforce a policy requiring all actions , including transitive/internal dependencies to be pinned to a full-length commit SHA. When bandit-action is used in such an environment, the workflow fails at the "Prepare all required actions" step with an error like:
Error: The actions actions/setup-python@v5, actions/checkout@v4, and github/codeql-action/upload-sarif@v3
are not allowed in <org>/<repo> because all actions must be pinned to a full-length commit SHA.
Even though the caller has correctly pinned PyCQA/bandit-action to a SHA, the action itself violates the policy because its own action.yml uses tag-based references internally.
Expected behaviour
All action references inside PyCQA/bandit-action's action.yml (and any composite steps or reusable workflows it calls) should be pinned to full-length commit SHAs, for example:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
- uses: github/codeql-action/upload-sarif@v3@... # pin to SHA
This is also a security best practice recommended by StepSecurity and OpenSSF Scorecard (the "Pinned-Dependencies" check).
Suggested fix
Replace all mutable tag references inside the action's source files with their corresponding full-length commit SHAs.
Environment
- Runner version: 2.332.0
- Observed when
bandit-action is used in an organisation with mandatory SHA-pinning policy
Problem
PyCQA/bandit-actionitself can be pinned to a full-length commit SHA (e.g.PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f), but the internal dependencies it references are pinned only to mutable version tags, not full-length commit SHAs:actions/setup-python@v6actions/checkout@v6github/codeql-action/upload-sarif@v4Impact
Many organisations and enterprises enforce a policy requiring all actions , including transitive/internal dependencies to be pinned to a full-length commit SHA. When
bandit-actionis used in such an environment, the workflow fails at the "Prepare all required actions" step with an error like:Even though the caller has correctly pinned
PyCQA/bandit-actionto a SHA, the action itself violates the policy because its ownaction.ymluses tag-based references internally.Expected behaviour
All action references inside
PyCQA/bandit-action'saction.yml(and any composite steps or reusable workflows it calls) should be pinned to full-length commit SHAs, for example:This is also a security best practice recommended by StepSecurity and OpenSSF Scorecard (the "Pinned-Dependencies" check).
Suggested fix
Replace all mutable tag references inside the action's source files with their corresponding full-length commit SHAs.
Environment
bandit-actionis used in an organisation with mandatory SHA-pinning policy