🐛 include workflow uses when checking for unpinned dependencies (#4681)

* 🐛 include workflow uses when checking for unpinned dependencies

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* rename createUnpinnedDep -> newGHActionDependency

Signed-off-by: Adam Korczynski <adam@adalogics.com>

* remove comment

Signed-off-by: Adam Korczynski <adam@adalogics.com>

---------

Signed-off-by: Adam Korczynski <adam@adalogics.com>

Author: AdamKorcz

checks/raw/pinned_dependencies.go

@@ -744,6 +744,17 @@ var validateGitHubActionWorkflow fileparser.DoWhileTrueOnFileContent = func(
 		if len(fileparser.GetJobName(job)) > 0 {
 			jobName = fileparser.GetJobName(job)
 		}
+
+		if job.WorkflowCall != nil && job.WorkflowCall.Uses != nil {
+			//nolint:lll
+			// Check whether this is an action defined in the same repo,
+			// https://docs.github.com/en/actions/learn-github-actions/finding-and-customizing-actions#referencing-an-action-in-the-same-repository-where-a-workflow-file-uses-the-action.
+			if !strings.HasPrefix(job.WorkflowCall.Uses.Value, "./") {
+				dep := newGHActionDependency(job.WorkflowCall.Uses.Value, pathfn, job.WorkflowCall.Uses.Pos.Line)
+				pdata.Dependencies = append(pdata.Dependencies, dep)
+			}
+		}
+
 		for _, step := range job.Steps {
 			if !fileparser.IsStepExecKind(step, actionlint.ExecKindAction) {
 				continue
@@ -767,32 +778,36 @@ var validateGitHubActionWorkflow fileparser.DoWhileTrueOnFileContent = func(
 			if strings.HasPrefix(execAction.Uses.Value, "./") {
 				continue
 			}
-
-			dep := checker.Dependency{
-				Location: &checker.File{
-					Path:      pathfn,
-					Type:      finding.FileTypeSource,
-					Offset:    uint(execAction.Uses.Pos.Line),
-					EndOffset: uint(execAction.Uses.Pos.Line), // `Uses` always span a single line.
-					Snippet:   execAction.Uses.Value,
-				},
-				Pinned: asBoolPointer(isActionDependencyPinned(execAction.Uses.Value)),
-				Type:   checker.DependencyUseTypeGHAction,
-			}
-			parts := strings.SplitN(execAction.Uses.Value, "@", 2)
-			if len(parts) > 0 {
-				dep.Name = asPointer(parts[0])
-				if len(parts) > 1 {
-					dep.PinnedAt = asPointer(parts[1])
-				}
-			}
+			dep := newGHActionDependency(execAction.Uses.Value, pathfn, execAction.Uses.Pos.Line)
 			pdata.Dependencies = append(pdata.Dependencies, dep)
 		}
 	}
 
 	return true, nil
 }
 
+func newGHActionDependency(uses, pathfn string, line int) checker.Dependency {
+	dep := checker.Dependency{
+		Location: &checker.File{
+			Path:      pathfn,
+			Type:      finding.FileTypeSource,
+			Offset:    uint(line),
+			EndOffset: uint(line), // `Uses` always span a single line.
+			Snippet:   uses,
+		},
+		Pinned: asBoolPointer(isActionDependencyPinned(uses)),
+		Type:   checker.DependencyUseTypeGHAction,
+	}
+	parts := strings.SplitN(uses, "@", 2)
+	if len(parts) > 0 {
+		dep.Name = asPointer(parts[0])
+		if len(parts) > 1 {
+			dep.PinnedAt = asPointer(parts[1])
+		}
+	}
+	return dep
+}
+
 func isActionDependencyPinned(actionUses string) bool {
 	localActionRegex := regexp.MustCompile(`^\..+[^/]`)
 	if localActionRegex.MatchString(actionUses) {

checks/raw/pinned_dependencies_test.go

@@ -1753,6 +1753,21 @@ func TestGitHubWorkflowUsesLineNumber(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:     "job uses with no steps",
+			filename: "./testdata/.github/workflows/github-workflow-job-uses.yaml",
+			expected: []struct {
+				dependency string
+				startLine  uint
+				endLine    uint
+			}{
+				{
+					dependency: "slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0",
+					startLine:  30,
+					endLine:    30,
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

checks/raw/testdata/.github/workflows/github-workflow-job-uses.yaml

@@ -0,0 +1,30 @@
+# Copyright 2025 OpenSSF Scorecard Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Docker
+on:
+  push:
+    branches:
+      - main
+    # Publish `v1.2.3` tags as releases.
+    tags:
+      - v*
+  # Run tests for any PRs.
+  pull_request:
+env:
+  IMAGE_NAME: gitcache
+
+jobs:
+  push:
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0