Secure your CI/CD workflows with Pinner

Automatically pin mutable tags to immutable SHA-1 hashes or OCI digests. Stop tag-jacking and supply chain attacks in milliseconds.

The Pinner Reaction Etymology

In organic chemistry, the Pinner reaction involves the acid-catalyzed conversion of a reactive nitrile into a highly stable salt.

"Just as the chemical reaction transforms a volatile compound into a stable, fixed salt, this CLI transforms floating tags into secure, immutable commit SHAs."

Terminal - Verification & Security Auditing

$ pinner pin --cache-ttl 7200

Searching for workflows in .github/workflows/...

actions/checkout@v4 -> actions/checkout@8f4b7f84... # v4 [✓ vetted]

dtolnay/rust-toolchain@master -> dtolnay/rust-toolchain@e97e2d8c... # master [? not checked]

Successfully pinned 12 actions across 3 files! [Cache updated - TTL 2h]

$ pinner verify --check-osv --strict

Verifying dependencies against configuration and OSV database...

✔ actions/checkout@8f4b7f84... (No known vulnerabilities)

✔ dtolnay/rust-toolchain@e97e2d8c... (Vetted locally)

All scanned dependencies are secure and properly pinned! ✅

High Performance

Written in Rust with AST parsing via tree-sitter. Optimized with concurrent resolving and persistent disk caching (cacache) to scan hundreds of files in milliseconds.

Cosign Provenance

Supports OCI registry image pinning, Docker credential lookups via desktop helpers, and performs automated structural Sigstore/Cosign provenance and signature checks.

OSV Database Auditing

Direct integration with the OpenSSF OSV vulnerability database. Scans and filters dependencies for vulnerabilities, and fails verification if compromised hashes are detected.

Enterprise Controls

Configure trust whitelists, local policy overrides, and rate-limits in .pinner.toml. Supports private registries, AWS ECR, Azure DevOps, and custom git forges.

Install Pinner

curl -LsSf https://raw.githubusercontent.com/ffalcinelli/pinner/main/install.sh | sh
Copied to clipboard!

One-line installation for instant workflow security.

Pinnerception: The Recursive Paradox 🌀

Remember to pin the pinner! If you run the Pinner Action in your CI pipelines, you should hash-pin Pinner using Pinner itself.

"Trusting a security action to verify your pinned dependencies using a mutable tag is like hiring a security guard who leaves the keys under the doormat."

Remember: If you don't pin the pinner, who pins the pinner's pinners? Mind the recursion.