Global Options
These options can be used with any subcommand to modify Pinner's behavior.
-w, --workflows <PATH>
Default: Platform standard paths
Specify workflow files or directories to process. Can be used multiple times.
-y, --yes
Flag
Automatically confirm all replacements without prompting. Ideal for non-interactive environments (CI).
-d, --dry-run
Flag
Print what would be changed without actually modifying any files.
--format <TYPE>
Values: text, json, markdown
Output results in the specified format. markdown format is ideal for integration in PR comments.
--concurrency <NUM>
Default: 10
Number of concurrent API requests to make. Increase for large repositories, decrease to avoid rate limits.
--ignore <PATTERN>
Multiple
Actions or images to ignore (comma-separated, e.g., "actions/checkout"). Can be used multiple times.
--no-cache
Flag | Conflicts with --cache-ttl
Disable persistent disk caching (cacache) and memory caching completely for this run. Forces fresh remote requests.
--cache-ttl <SECONDS>
Default: 3600 | Conflicts with --no-cache
Set the cache Time-To-Live (TTL) in seconds. Cached entries older than this duration are automatically invalidated.
--offline
Flag | Conflicts with --check-osv
Force offline mode, preventing any network requests. Only cached dependencies can be resolved. Fails on cache misses.
Subcommands
pin
Scans workflows and replaces all mutable tags with immutable commit SHAs or image digests. This is the primary command for securing your supply chain.
upgrade
Updates pinned dependencies to newer versions based on the subcommand-specific --upgrade-strategy option.
--upgrade-strategy <STRATEGY>: Select bump strategy (latest,major,minor,commit).-i, --interactive: Prompt and select upgrades individually.
verify
Checks if all actions and images are pinned. Returns a non-zero exit code if unpinned dependencies are found. Perfect for CI/CD environments.
--check-osv: Query OpenSSF OSV to fail validation if any dependency hash has known vulnerabilities (requires online connection).--strict: Fail validation if any dependency is not explicitly added to thevettedwhitelist in.pinner.toml.
set <ACTION> <HASH>
Forcibly sets a specific action or image to a provided hash across all matching occurrences in your workflows.
install-hook
Installs a git pre-commit hook in your local repository that automatically runs pinner verify before every commit.
init
Automatically initializes a .pinner.toml configuration file for your repository with sensible defaults.
export-sbom
Generates and exports a Software Bill of Materials (SBOM) for all actions and container images used in your workflows.
scan
Queries OpenSSF OSV for vulnerabilities, performs Cosign provenance verification for OCI images, and prompts to save vetted whitelists and compromised blacklists in `.pinner.toml`.
Supports the --upgrade-strategy flag to scan candidates.
generate-completion [SHELL]
Generates shell completion scripts (Bash, Zsh, Fish, Powershell, Elvish). If the shell parameter is omitted, Pinner automatically detects your active shell environment.
Environment Variables
Pinner automatically reads these variables for authentication, caching overrides, and API configurations.
Authentication & APIs
| Variable | Description |
|---|---|
GITHUB_TOKEN |
API authentication token for GitHub (bypasses low rate-limits) |
GITLAB_TOKEN |
Auth token for GitLab API access |
BITBUCKET_TOKEN |
Auth token for Bitbucket API access |
FORGEJO_TOKEN |
Auth token for Forgejo/Gitea instances |
CIRCLECI_TOKEN |
Token for CircleCI GraphQL API orb queries |
PINNER_OCI_USERNAME |
Username for OCI Registries (use AWS for AWS ECR) |
PINNER_OCI_PASSWORD |
Password or login token for OCI Registries authentication |
Configuration Overrides
| Variable | Description |
|---|---|
PINNER_NO_CACHE |
Set to true to disable persistent disk caching (caches are bypassed). |
PINNER_CACHE_TTL |
Configure custom cache TTL duration in seconds. |
PINNER_CONCURRENCY |
Override the number of concurrent API requests. |
PINNER_IGNORE |
Override the list of ignored actions (comma-separated). |
PINNER_GITHUB_URL |
Override default GitHub API URL. Also available for GitLab, Bitbucket, Forgejo, and CircleCI. |
Cloud Provider Resolution
AWS ECR
To resolve private OCI digests from AWS ECR, pass the login token:
PINNER_OCI_USERNAME=AWS \
PINNER_OCI_PASSWORD=$(aws ecr get-login-password) \
pinner pin
Azure Marketplace
Tasks are automatically resolved to the microsoft/azure-pipelines-tasks monorepo to safely query and map release commit hashes.
CircleCI Orbs
Pinner supports Docker images inside CircleCI configs. CircleCI Orbs use semantic version routing and are not hash-pinned.
Configuration File
Create a .pinner.toml file in your repository root to persist settings and share security whitelists with your team.
Example .pinner.toml
# Actions to exclude from processing
ignore = ["actions/checkout", "my-org/private-repo"]
# Execution and Caching settings
concurrency = 5
no_cache = false
cache_ttl = 3600 # Cache TTL in seconds
# API URL overrides (for Enterprise instances)
github_url = "https://github.mycompany.com/api/v3"
gitlab_url = "https://gitlab.mycompany.com/api/v4"
# Whitelist of vetted dependency hashes/references
vetted = [
# Plain string format
"actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332",
# Structured format with original tag and insertion timestamp
{ ref = "actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10", tag = "v6.0.3", timestamp = "2026-06-18T15:28:25Z" }
]
# Blacklist of compromised dependency hashes/references
compromised = [
"actions/checkout@badhash1234567890badhash1234567890bad",
{ ref = "actions/checkout@evilhash1234567890evilhash1234567890bad", tag = "v3.1.0", timestamp = "2026-06-18T15:28:25Z" }
]
# Disable visual security feedback (default: false)
no_security_feedback = false
Global Configuration Hierarchy
Pinner automatically aggregates whitelists and blacklists from standard configuration paths. Locations checked (from lowest to highest precedence):
~/.cache/pinner/config.toml(Global caching)~/.config/pinner/config.toml(Global config)~/.pinner.toml(Home config).pinner.toml(Local project config - overrides all global values)
.pinner.toml serves as a strict override. If a dependency reference is marked vetted locally, it overrides global compromised flags, and if marked compromised locally, it overrides global vetted entries.