Automatically pin mutable tags to immutable SHA-1 hashes to prevent supply chain attacks.
In organic chemistry, the Pinner reaction involves the acid-catalyzed conversion of a reactive nitrile into a highly stable salt.
"Just as the reaction transforms a volatile compound into a stable, fixed salt, this CLI transforms floating tags into secure, immutable commit SHAs."
$ pinner pin
Searching for workflows in .github/workflows/...
actions/checkout@v4 -> actions/checkout@8f4b7f84... # v4 [✓ vetted]
dtolnay/rust-toolchain@master -> dtolnay/rust-toolchain@e97e2d8c... # master [? not checked]
Successfully pinned 12 actions across 3 files!
$ pinner scan
Scanning dependencies with OSV database...
✔ Clean Dependencies: actions/checkout@8f4b7f84...
All scanned dependencies are secure! 🛡️
$ pinner verify
Verifying action pinning...
All actions are correctly pinned! ✅
Built with Rust and `tree-sitter` for maximum speed and precision. Scan hundreds of actions in milliseconds.
Protects your CI/CD against tag-moving attacks. Native support for `verify` mode in your CI pipelines.
Direct integration with OpenSSF OSV database to detect compromised commit hashes, check OCI image provenance signatures, and audit upgrade candidates.
Configure trusted whitelists and blacklists in `.pinner.toml` with colored inline diff indicators.
curl -LsSf https://raw.githubusercontent.com/ffalcinelli/pinner/main/install.sh | sh
One-line installation for instant workflow security.
Remember to pin the pinner! If you use the Pinner GitHub Action in your workflows, you should hash-pin Pinner using Pinner itself.
Remember: If you don't pin the pinner, who pins the pinner's pinners? Mind the recursion.