From 5bf02e73ea2ab7cc8e12ef8fd784df1a183f007a Mon Sep 17 00:00:00 2001
From: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com>
Date: Mon, 4 Nov 2024 11:30:29 -0500
Subject: [PATCH] Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Alvaro Muñoz <pwntester@github.com>
---
 ql/src/Security/CWE-829/UnpinnedActionsTag.ql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
index 10c21bc368b..95498d6be5a 100644
--- a/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+++ b/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -18,7 +18,7 @@ private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f
 
 bindingset[repo]
 private predicate isTrustedOrg(string repo) {
-  exists(string org | org in ["actions", "github", "advanced-security"] | repo.matches(org + "/%"))
+  repo.matches(["actions", "github", "advanced-security"] + "/%"))
 }
 
 from UsesStep uses, string repo, string version, Workflow workflow, string name