Skip to content
Latchkey

Third-Party Action Risk - CI/CD Glossary Definition

Third-party action risk is the danger that an external action you call could steal secrets or tamper with your build.

Third-party action risk is the supply-chain exposure from using actions you do not control, since a compromised or malicious action runs with your workflow token and secrets.

Mitigations include pinning to a SHA, reviewing the action source, restricting GITHUB_TOKEN permissions, and limiting which actions a repository is allowed to run.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →