Flag workflows that depend on a GitHub Action with injection in the same repo or same org #70
Description
This would be sort of a second-order / second-pass processing maybe, because we may scan a repo in an org as just a "pkg:github/", discover that it happens to be a GitHub Action (with action.yml somewhere) and later (or before) we see a workflow which depends on that action. If the action we scanned has an injection, then the workflow has a "0-day" vulnerable dep. Ideally, we need to rescan the action's repo on the actual tag / commit that is used for dependency (i.e. uses: corp/my-action@v3)