Why You Should Pin GitHub Actions to Commit SHAs
The recent aquasecurity/trivy-action compromise is a strong reminder that CI security depends on what your workflow actually downloads at runtime. According to Socket's incident write-up, attackers force-moved dozens of existing version tags in the official Trivy action, which meant workflows using aquasecurity/[email protected] and similar tags could execute malicious code without any workflow file changing. For SRE and platform teams, that is the ugly side of trusting mutable references in production CI.
What Happened
Trivy Action is widely used to scan container images, filesystems, and repositories in GitHub Actions. During the March 2026 incident, attackers reportedly rewrote many existing tags to malicious commits. GitHub Actions resolves uses: references by tag, branch, or commit SHA. If you pin to a tag, you are trusting that tag to keep pointing at the same code forever.
That trust breaks the moment a tag is force-updated.
GitHub's own security hardening guidance recommends using immutable references wherever possible and keeping token permissions narrow. The Trivy incident shows why that advice matters in real pipelines, not just security checklists.
Why Commit SHAs Matter
A full commit SHA is immutable in a way tags are not. If your workflow references a specific commit, GitHub Actions fetches that exact revision.
Key benefits for operators:
- Prevents silent action upgrades inside critical workflows
- Reduces blast radius from compromised tags or branches
- Makes incident response faster because the exact dependency is visible
- Improves change control for regulated or audited environments
- Works well with review automation and dependency update bots
Pinning does not solve every supply chain problem, but it removes one of the easiest attack paths in CI.
Installation
Start by replacing tag-based action references with full commit SHAs:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
with:
scan-type: fs
scan-ref: .
If you want the workflow to stay readable, add a comment with the human-friendly release tag:
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
Usage in Real Pipelines
For production repositories, combine SHA pinning with a few basic controls:
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
- uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
scan-type: fs
scan-ref: .
severity: CRITICAL,HIGH
This keeps the action version fixed and also limits what the default token can do if something goes wrong.
Operational Tips
- Audit all
uses:lines in your org and flag tag-based references - Prefer bots or internal tooling to update pinned SHAs on a review cycle
- Restrict
GITHUB_TOKENpermissions to the minimum needed per job - Rotate secrets quickly after any CI compromise, even if exposure is only suspected
- Review third-party actions like production dependencies, not copy-paste snippets
If you run a platform team, this is a good week to enforce a policy that blocks mutable action references in protected repositories.
Conclusion
The Trivy tag compromise is not just a story about one action. It is a reminder that CI pipelines are part of your production attack surface. Pinning GitHub Actions to commit SHAs is a low-cost control that meaningfully reduces surprise, improves traceability, and gives SRE teams one less fire to fight.
Akmatori helps SRE teams automate operational guardrails, incident response, and production workflows across modern infrastructure. If you are building reliable platforms at scale, explore Akmatori and Gcore for the infrastructure layer behind them.