Creator and maintainer of vet here. We have been working on malicious OSS code identification through static code analysis for a while.

After the recent tj-actions/changed-files hack, we wanted the ability scan GitHub Action code as well since most of them are Javascript anyway.

One of the challenges with scanning GHA compared to other package registries such as pypi, npm is immutability. While npm, pypi etc. guarantees immutability for a published version of artifact, GHA tags are mutable. This means we cannot trust the results of a tag (e.g. v1) scanned in the past.

To workaround this problem for GitHub Actions scanning, we choose to always resolve a given tag/branch to a commit SHA before actually performing code analysis.