Info: Possibly incomplete results: error parsing shell code: & can only immediately follow a statement: src/runtime-tools/win64/Dockerfile:14
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:255: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:257: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:284: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:317: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:324: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:325: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:332: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:365: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:367: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:373: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:416: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:417: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:426: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:536: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:539: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:601: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:124: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:223: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:225: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:355: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:356: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:399: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:400: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:409: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:609: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:612: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:660: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:339: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:340: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:347: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:380: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:382: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:392: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:671: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:672: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:676: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:116: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:135: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:236: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:239: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:248: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:445: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:446: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:450: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:454: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:458: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:462: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:466: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:470: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:474: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:478: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:482: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:529: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:191: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:209: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/ci.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:29: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codeql-analysis.yml:55: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/codeql-analysis.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/sync-issue-to azure-devops-work-item.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/sync-issue-to azure-devops-work-item.yml/main?enable=pin
Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/validate-devcontainer.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/validate-devcontainer.yml/main?enable=pin
Warn: third-party GitHubAction not pinned by hash: .github/workflows/validate-devcontainer.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/microsoft/onefuzz/validate-devcontainer.yml/main?enable=pin
Warn: containerImage not pinned by hash: .devcontainer/Dockerfile:5
Warn: containerImage not pinned by hash: src/Dockerfile:6
Warn: containerImage not pinned by hash: src/Dockerfile:35: pin your Docker image by updating mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04 to mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19
Warn: containerImage not pinned by hash: src/runtime-tools/linux/Dockerfile:4: pin your Docker image by updating mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04 to mcr.microsoft.com/oss/mirror/docker.io/library/ubuntu:20.04@sha256:fd92c36d3cb9b1d027c4d2a72c6bf0125da82425fc2ca37c414d4f010180dc19
Warn: containerImage not pinned by hash: src/runtime-tools/win64/Dockerfile:6
Warn: downloadThenRun not pinned by hash: .devcontainer/Dockerfile:20
Warn: pipCommand not pinned by hash: src/Dockerfile:16-24
Warn: npmCommand not pinned by hash: .devcontainer/install-dependencies.sh:12
Warn: pipCommand not pinned by hash: .devcontainer/install-dependencies.sh:15
Warn: nugetCommand not pinned by hash: .devcontainer/post-create-script.sh:13: pin your dependecies by either enabling central package management (https://learn.microsoft.com/nuget/consume-packages/Central-Package-Management) or using a lockfile (https://learn.microsoft.com/nuget/consume-packages/package-references-in-project-files#locking-dependencies)
Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:24
Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:30
Warn: pipCommand not pinned by hash: .devcontainer/post-create-script.sh:35
Warn: pipCommand not pinned by hash: src/ci/check-check-pr.sh:6
Warn: pipCommand not pinned by hash: src/ci/check-check-pr.sh:7
Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:11
Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:14
Warn: pipCommand not pinned by hash: src/ci/onefuzztypes.sh:27
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:199
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:200
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:490
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:491
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:153
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:154
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:157
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:158
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:176
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:217
Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:218
Warn: npmCommand not pinned by hash: .github/workflows/ci.yml:266
Info: 0 out of 68 GitHub-owned GitHubAction dependencies pinned
Info: 3 out of 10 third-party GitHubAction dependencies pinned
Info: 0 out of 5 containerImage dependencies pinned
Info: 0 out of 1 downloadThenRun dependencies pinned
Info: 2 out of 23 pipCommand dependencies pinned
Info: 0 out of 2 npmCommand dependencies pinned
Info: 2 out of 3 nugetCommand dependencies pinned