{"version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [{"tool": {"driver": {"name": "Repobility", "informationUri": "https://repobility.com", "rules": [{"id": "MINED115", "name": "Action `actions/checkout` pinned to mutable ref `@v4`", "shortDescription": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "fullDescription": {"text": "`uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions/changed-files compromise (2025) instantly affect ~23K repos. Pin to a 40-char commit SHA + lock with Dependabot or renovate."}, "properties": {"scanner": "repobility-supply-chain", "category": "dependency", "severity": "high", "confidence": 0.9, "cwe": "", "owasp": ""}}]}}, "automationDetails": {"id": "repobility/1014"}, "properties": {"repository": "microsoft/GSL", "repoUrl": "https://github.com/microsoft/GSL", "branch": "main"}, "results": [{"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 95212, "scanner": "repobility-supply-chain", "fingerprint": "06a1306b26deec543be883664a0c647218898c781c65649270a0051af7c7b5c7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|06a1306b26deec543be883664a0c647218898c781c65649270a0051af7c7b5c7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/clang-format.yml"}, "region": {"startLine": 22}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v4`"}, "properties": {"repobilityId": 95211, "scanner": "repobility-supply-chain", "fingerprint": "ff7a4cb495c08ef11b3143465a6236b85fb4d23fe61cf1e528722f56bb1aa1c4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|ff7a4cb495c08ef11b3143465a6236b85fb4d23fe61cf1e528722f56bb1aa1c4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/shell-script-linter.yml"}, "region": {"startLine": 19}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95210, "scanner": "repobility-supply-chain", "fingerprint": "d94369f471f0d2be61f039a3d0305ed09f3ae91bd30fce3ab744b7621e4e24b7", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|d94369f471f0d2be61f039a3d0305ed09f3ae91bd30fce3ab744b7621e4e24b7"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/copilot-setup-steps.yml"}, "region": {"startLine": 12}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95209, "scanner": "repobility-supply-chain", "fingerprint": "509cc8bcd3035eaabe48e54d59459c40735d3ca146ee4480763201c226278383", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|509cc8bcd3035eaabe48e54d59459c40735d3ca146ee4480763201c226278383"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/ios.yml"}, "region": {"startLine": 15}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/setup-java` pinned to mutable ref `@v5`"}, "properties": {"repobilityId": 95208, "scanner": "repobility-supply-chain", "fingerprint": "f6afcccf62511f731454b07debebaaf5cc17f761e730d1eff1dbcfda7935a248", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|f6afcccf62511f731454b07debebaaf5cc17f761e730d1eff1dbcfda7935a248"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android.yml"}, "region": {"startLine": 25}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95207, "scanner": "repobility-supply-chain", "fingerprint": "715fbd54ee7378a62faa039fac961f69ed79a25eb9a904554a01a3ebee81bfb4", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|715fbd54ee7378a62faa039fac961f69ed79a25eb9a904554a01a3ebee81bfb4"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/android.yml"}, "region": {"startLine": 20}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `microsoft/setup-msbuild` pinned to mutable ref `@v3`"}, "properties": {"repobilityId": 95206, "scanner": "repobility-supply-chain", "fingerprint": "be90918f2f450e16545dea4543754208746b12d02d5c77d837094af24daaeb12", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|be90918f2f450e16545dea4543754208746b12d02d5c77d837094af24daaeb12"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compilers.yml"}, "region": {"startLine": 91}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95205, "scanner": "repobility-supply-chain", "fingerprint": "a0c99402a0dbe72b3262158b5ab43bd4fc0fc8f8cf08045733ba2c5d915087f5", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|a0c99402a0dbe72b3262158b5ab43bd4fc0fc8f8cf08045733ba2c5d915087f5"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compilers.yml"}, "region": {"startLine": 90}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95204, "scanner": "repobility-supply-chain", "fingerprint": "25a7ac70308026513def1bc40fd755059bf65a632b560faa5f37bbd67c87c65d", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|25a7ac70308026513def1bc40fd755059bf65a632b560faa5f37bbd67c87c65d"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compilers.yml"}, "region": {"startLine": 69}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95203, "scanner": "repobility-supply-chain", "fingerprint": "3d3e931f7577ab3e373edb7f660b28939a965a9b60c93dcfc308a3627c250c7f", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|3d3e931f7577ab3e373edb7f660b28939a965a9b60c93dcfc308a3627c250c7f"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compilers.yml"}, "region": {"startLine": 54}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95202, "scanner": "repobility-supply-chain", "fingerprint": "65487b23604726a100f9f8e034d4c2a1ad3bb37bdfc2dadbac77979793cdd291", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|65487b23604726a100f9f8e034d4c2a1ad3bb37bdfc2dadbac77979793cdd291"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/compilers.yml"}, "region": {"startLine": 33}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `lukka/get-cmake` pinned to mutable ref `@latest`"}, "properties": {"repobilityId": 95201, "scanner": "repobility-supply-chain", "fingerprint": "c39a0c5e4beff6c9558a8769cb1ba0a36db88d3361c37b0a188ea3af17279b9c", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|c39a0c5e4beff6c9558a8769cb1ba0a36db88d3361c37b0a188ea3af17279b9c"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cmake_find_package.yml"}, "region": {"startLine": 17}}}]}, {"ruleId": "MINED115", "level": "error", "message": {"text": "Action `actions/checkout` pinned to mutable ref `@v6`"}, "properties": {"repobilityId": 95200, "scanner": "repobility-supply-chain", "fingerprint": "2899bbfd5f396279338c1d8c50da89cf8f8486b6095803ecb1597a3f80e81741", "category": "dependency", "severity": "high", "confidence": 0.9, "triageState": "open", "verdict": "", "isResolved": false, "reason": "", "evidence": {"mined": true, "mining": {"slug": "gha-mutable-ref", "owasp": "A08:2021", "cwe_ids": ["CWE-829"], "languages": ["yaml"], "observations_count": 0}, "scanner": "repobility-supply-chain", "correlation_key": "fp|2899bbfd5f396279338c1d8c50da89cf8f8486b6095803ecb1597a3f80e81741"}}, "locations": [{"physicalLocation": {"artifactLocation": {"uri": ".github/workflows/cmake_find_package.yml"}, "region": {"startLine": 16}}}]}]}]}