Configuration & Environment
GitHub Actions workflows reference third-party actions by floating tags (`@v4`, `@main`) instead of immutable commit SHAs — a compromised action gets push access to the MCP server's CI on the next run.
Floating tags in GitHub Actions are mutable: the maintainer can re-point `@v4` to any commit at any time, and your next CI run silently picks it up. A compromise of a popular action's repo is one of the highest-leverage supply-chain attacks possible — it ran arbitrary code in every consumer's CI on the next push. The fix is pinning by 40-char commit SHA, which is immutable.
MCP servers ship via npm and PyPI, with release pipelines often running in GitHub Actions. A malicious release would flow to thousands of installs. Pinning actions by SHA is the cheap version of supply-chain hygiene — it doesn't prevent everything, but it eliminates the silent-mutation class.
# .github/workflows/release.yml |
jobs: |
publish: |
runs-on: ubuntu-latest |
steps: |
- uses: actions/checkout@v4 |
- uses: actions/setup-node@v4 |
- run: npm publish |
# .github/workflows/release.yml |
jobs: |
publish: |
runs-on: ubuntu-latest |
steps: |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
- uses: actions/setup-node@b39b52d1213e96004bfcb1c61a8a6fa8ab84f3e8 # v4.0.1 |
- run: npm publish |
Workflow YAML in `.github/workflows/*.yml` is scanned for `uses: <owner>/<repo>@<ref>` lines where `<ref>` is shorter than 40 chars (i.e., not a SHA). Pinned-by-SHA references and first-party actions (`actions/*` is configurable) can be allow-listed.
See the full threat catalog for every documented detection.
MCPSafe runs this check — and every other rule in the catalog — on any MCP server you paste in.
Scan now