Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes

May 27, 2026

Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes — This cybersecurity statistic was published by DataDog in May 2026. It covers topics including DevSecOps. The original data appears in State of DevSecOps. For the full methodology and detailed findings, refer to the original report.

Source

View Original Report

Published on 2/26/2026

Share or Copy this stat

Frequently Asked Questions

What does this statistic say?

Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes This data was published by DataDog and covers DevSecOps.

Where does this data come from?

This statistic comes from State of DevSecOps, published by DataDog on May 27, 2026. You can view the original report at https://www.datadoghq.com/state-of-devsecops/.

What cybersecurity topics does this cover?

This statistic relates to DevSecOps. Browse more statistics on DevSecOps or from DataDog.

CYBERSTATS

Only 4% of organizations pin all public GitHub Actions to a specific version using commit hashes

Source

Share or Copy this stat

Frequently Asked Questions

Want More Statistics Like This?

Related Statistics

18% of vulnerabilities labeled "critical" remain critical once runtime context is applied

Services using end-of-life language versions face exploitable vulnerabilities in 50% of cases

50% of organizations adopt new library versions within 24 hours of release

Services using supported language versions face exploitable vulnerabilities in 31% of cases

The median software dependency is 278 days out of date, 63 days further behind than last year

More than four out of five CISOs oversee secure software development (DevSecOps).

Browse by Topic

Stay Ahead of Cyber Threats