- The
actions/unversioned-immutable-actionquery will no longer report any alerts, since the Immutable Actions feature is not yet available for customer use. The query remains in the default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is available, the query will be updated to report alerts again.
-
The following queries have been removed from the
code-scanningandsecurity-extendedsuites. Any existing alerts for these queries will be closed automatically.actions/if-expression-always-true/criticalactions/if-expression-always-true/highactions/unnecessary-use-of-advanced-config
-
The following query has been moved from the
code-scanningsuite to thesecurity-extendedsuite. Any existing alerts for this query will be closed automatically unless the analysis is configured to use thesecurity-extendedsuite.actions/unpinned-tag
-
The following queries have been added to the
security-extendedsuite.actions/unversioned-immutable-actionactions/envpath-injection/mediumactions/envvar-injection/mediumactions/code-injection/mediumactions/artifact-poisoning/mediumactions/untrusted-checkout/medium
- Fixed false positives in the query
actions/unpinned-tag(CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
No user-facing changes.
No user-facing changes.
- Initial public preview release