GitHub Actions Supply Chain Risk: Unpinned Tags in Vulnerability-Scan CI Job

A critical supply chain vulnerability has been identified within a GitHub Actions CI/CD workflow. In the `.github/workflows/ci.yaml` file, the `vulnerability-scan` job is configured to use mutable tags (`@v6`) for core actions like `actions/checkout` and `actions/setup-go`. This creates a direct risk, as these tags can be force-pushed, potentially allowing malicious code to be injected into the automated security scanning process. The anomaly is stark: all other jobs in the same workflow correctly pin to immutable SHA-256 hashes, making this oversight a glaring security gap in the very pipeline designed to find vulnerabilities.

The issue centers on the discrepancy between the `vulnerability-scan` job and the rest of the CI configuration. While other jobs use specific commit hashes (e.g., `de0fac2e4500dabe0009e67214ff5f5447ce83dd` for `actions/checkout`), the security scan relies on the mutable `v6` tag. This practice undermines the integrity of the CI/CD pipeline, as a compromised or tampered-with action version could execute during the scan without detection, potentially exfiltrating secrets or manipulating results.

This flaw represents a foundational security failure in a software supply chain. It signals a breakdown in internal security controls where the tool meant to ensure safety is itself vulnerable. For any organization relying on this workflow, it introduces a risk that a trusted automation could be subverted. The fix is straightforward—replacing the tags with the same SHA-pinned references used elsewhere—but the presence of such a risk in a vulnerability scanning job highlights a critical need for consistent security hygiene across all automation code.