PS Product SecurityKnowledge Base

Third-Party Component Review Checklist

Use this when reviewing marketplace actions, SDKs, Docker images, Helm charts, or public GitHub components before adoption.

Review prompts

  • what capability or trust does the component receive?
  • who owns updates, pinning, and emergency removal?
  • is the source pinned to a digest, version, or commit rather than a mutable tag?
  • does the component handle secrets, tokens, signing, or deployment authority?
  • is there a simpler native alternative?

Go / no-go signal

The component is lower-risk when its purpose is narrow, the version is pinned, update ownership is clear, and its permissions are no broader than the workflow step really needs.