Automatically pin mutable tags to immutable SHA-1 hashes or OCI digests. Stop tag-jacking and supply chain attacks in milliseconds.
In organic chemistry, the Pinner reaction involves the acid-catalyzed conversion of a reactive nitrile into a highly stable salt.
"Just as the chemical reaction transforms a volatile compound into a stable, fixed salt, this CLI transforms floating tags into secure, immutable commit SHAs."
$ pinner pin --cache-ttl 7200
Searching for workflows in .github/workflows/...
actions/checkout@v4 -> actions/checkout@8f4b7f84... # v4 [✓ vetted]
dtolnay/rust-toolchain@master -> dtolnay/rust-toolchain@e97e2d8c... # master [? not checked]
Successfully pinned 12 actions across 3 files! [Cache updated - TTL 2h]
$ pinner verify --check-osv --strict
Verifying dependencies against configuration and OSV database...
✔ actions/checkout@8f4b7f84... (No known vulnerabilities)
✔ dtolnay/rust-toolchain@e97e2d8c... (Vetted locally)
All scanned dependencies are secure and properly pinned! ✅
Written in Rust with AST parsing via tree-sitter. Optimized with concurrent resolving and persistent disk caching (cacache) to scan hundreds of files in milliseconds.
Supports OCI registry image pinning, Docker credential lookups via desktop helpers, and performs automated structural Sigstore/Cosign provenance and signature checks.
Direct integration with the OpenSSF OSV vulnerability database. Scans and filters dependencies for vulnerabilities, and fails verification if compromised hashes are detected.
Configure trust whitelists, local policy overrides, and rate-limits in .pinner.toml. Supports private registries, AWS ECR, Azure DevOps, and custom git forges.
curl -LsSf https://raw.githubusercontent.com/ffalcinelli/pinner/main/install.sh | sh
One-line installation for instant workflow security.
Remember to pin the pinner! If you run the Pinner Action in your CI pipelines, you should hash-pin Pinner using Pinner itself.
Remember: If you don't pin the pinner, who pins the pinner's pinners? Mind the recursion.