## GitHub Actions Supply Chain Risk: Unpinned Tags in Vulnerability-Scan CI Job
A critical supply chain vulnerability has been identified within a GitHub Actions CI/CD workflow. In the `.github/workflows/ci.yaml` file, the `vulnerability-scan` job is configured to use mutable tags (`@v6`) for core actions like `actions/checkout` and `actions/setup-go`. This creates a direct risk, as these tags can be force-pushed, potentially allowing malicious code to be injected into the automated security scanning process. The anomaly is stark: all other jobs in the same workflow correctly pin to immutable SHA-256 hashes, making this oversight a glaring security gap in the very pipeline designed to find vulnerabilities.

The issue centers on the discrepancy between the `vulnerability-scan` job and the rest of the CI configuration. While other jobs use specific commit hashes (e.g., `de0fac2e4500dabe0009e67214ff5f5447ce83dd` for `actions/checkout`), the security scan relies on the mutable `v6` tag. This practice undermines the integrity of the CI/CD pipeline, as a compromised or tampered-with action version could execute during the scan without detection, potentially exfiltrating secrets or manipulating results.

This flaw represents a foundational security failure in a software supply chain. It signals a breakdown in internal security controls where the tool meant to ensure safety is itself vulnerable. For any organization relying on this workflow, it introduces a risk that a trusted automation could be subverted. The fix is straightforward—replacing the tags with the same SHA-pinned references used elsewhere—but the presence of such a risk in a vulnerability scanning job highlights a critical need for consistent security hygiene across all automation code.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: supply-chain-security, ci-cd, github-actions, vulnerability, devsecops
- **Credibility**: unverified
- **Published**: 2026-04-12 21:22:28
- **ID**: 60829
- **URL**: https://whisperx.ai/en/intel/60829