project link: https://github.com/cybrota/scharf
Hi security researchers,
In the aftermath of "tj-actions/changed-files supply chain attack", I've built a tool to scan & identify third-party GitHub actions without pinned SHA commits across git repositories. The tool also will help you quickly export the details to a CSV or JSON.
In addition, it can look up SHA for a given action, to replace any mutable references. Please give it a try!
submitted by /u/narenarya
[comments]
Source link