Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through both the open and closed issues for a duplicate request.

What's the problem this feature will solve?

unpinned-tools mixes different threat models, which was briefly discussed in #1775 (comment).

If I had to categorize the threat models into different tiers:

Currently unpinned-tools only protect against accidental breaking changes. Outside of that, you have different degrees of remedies available. Which varies widely. I have collected some below.

Internally checked with checksum (T1)

• astral-sh/setup-uv
• securego/gosec (not configurable)
• zizmorcore/zizmor-action

Hardcoded to mutable reference (T3)

• super-linter/super-linter

Hardcoded to mutable reference (T4)

• mikefarah/yq

Hardcoded to latest (T5)

• pre-commit/action

with.version defaults to latest (T5), accepts mutable reference (T3)

• appleboy/ssh-action
• oven-sh/setup-bun (validates checksum, but tags are not locked)
• trufflesecurity/trufflehog

env.WRANGLER_VERSION defaults to 4 (T4), accepts mutable reference (T3)

• cloudflare/wrangler-action

with.override_version defaults to "" (T5), accepts hash (T1)

• ansible/ansible-lint

Describe the solution you'd like

The goals of the unpinned-tools audit should be clearly defined.

1. Is anything other than latest fine (i.e. T1-T4)?
2. Should it only alert if there's a remedy?
3. apt?
4. Indirect dependencies (pipx, npx, ...)?

Additional context

Practically I would say it should alert only if its on latest (implicit / explicit) and the user can do something about it. There's a slight mismatch with the security model in unpinned-tools and unpinned-uses, but there's not much you can do about it if you want to use most workflows / avoid alert fatigue.

I have not taken other audit rules into account.

Unsure if this fits better as an issue or discussion. Please move as appropriate.