The 4% Problem: Why Your CI/CD Pipeline Is a Supply Chain Attack Waiting to Happen

Datadog found only 4% of orgs pin GitHub Actions to a full SHA. Everyone's covering the 87% stat. Nobody's talking about the one that matters more.

March 8, 20264 min readby Beatriz

The 4% Problem: Why Your CI/CD Pipeline Is a Supply Chain Attack Waiting to Happen

Server room with blinking lights

Photo by Taylor Vick on Unsplash

Datadog's State of DevSecOps 2026 report dropped February 26. The headline everyone picked up: 87% of organizations are running known exploitable vulnerabilities. Big number. Good press.

But it's not the number that should change how you think about security marketing. This is: only 4% of organizations pin their GitHub Actions to a full SHA. 71% leave them completely unpinned.

Why 4% Matters More Than 87%

The 87% stat is scary in a vague way. "Most companies have vulnerabilities" has been true for 20 years. It confirms what everyone believes. It doesn't change behavior.

The 4% stat is scary in a specific, actionable way. It tells you exactly where the gap is, what the fix looks like, and how few people are doing it. A developer can act on it in an afternoon — and almost nobody has.

That's the difference between security marketing that gets retweeted and security marketing that gets implemented.

The Attack Surface

Pinning method	What it means	% of orgs	Risk
Full SHA pin	Locked to exact commit hash — immutable	4%	Lowest — you get exactly what you audited
Version tag	Pinned to `v3` or `v3.1` — mutable tag	~25%	Medium — tag can be moved by maintainer or attacker
Unpinned	`@main` or no version — always latest	71%	Highest — upstream changes run in your pipeline automatically

When a GitHub Action is unpinned, you're running third-party code in your CI/CD pipeline with full access to secrets, artifacts, and deploy credentials — and anyone who compromises the maintainer can change what that code does. No review. No approval. No alert.

This isn't theoretical. The tj-actions/changed-files compromise already exploited this exact pattern.

What This Means for Security Marketing

If you're marketing CI/CD security, supply chain security, or DevSecOps — the 4% stat is a gift.

1. It's specific enough to be actionable. "Pin your GitHub Actions to a full SHA" is a sentence a developer can act on. "Remediate your vulnerabilities" is not. Specificity is credibility in security marketing.

2. It's underserved. Everyone is writing about the 87%. The marketing angle on GitHub Actions pinning — why this matters for how you message and sell security — is wide open.

3. It kills the "shift left" cliche. Developers already know they should pin dependencies. They're not doing it because tooling doesn't make it easy and defaults are wrong. This is where "shift smart" enters — context-aware, runtime-informed security feedback directly where developers work.

"Shift Smart" Is the Reframe

Datadog's report and several DevSecOps trend pieces converge on the same idea: stop telling developers to "shift left." They've heard it for a decade.

"Shift smart" means:

Context-aware feedback — only 18% of critical vulns remain critical with runtime context. That destroys traditional vuln-count marketing.
In-the-workflow — surface risk in the IDE, the PR, the pipeline. Not a dashboard nobody checks.
Agentic remediation — AI that triages vulns, writes patches, runs regression tests, submits PRs. Same "fleet manager" pattern from Anthropic's agentic coding report.

If you're a security vendor and you're first to own "shift smart" messaging with data like the 4% stat backing it up, you claim positioning nobody else has.

The Content Play

Asset	Angle	Timing
Blog post	"The 4% Problem" — GitHub Actions pinning deep dive	This week — report still generating coverage
LinkedIn	Lead with 4%, contrast with the 87% everyone else covers	Same day as blog
Technical guide	How to audit and pin your GitHub Actions to full SHA	Evergreen — pair with blog for SEO
Talk pitch	"Why 96% of CI/CD Pipelines Are Trusting Strangers"	Q2 CFP season

The window is open. The 87% is getting the attention. The 4% is sitting there, specific and actionable, waiting for someone to build a campaign around it.

Be the marketer who gives developers something they can fix today — not another fear stat they'll forget by tomorrow.

Sources: Datadog State of DevSecOps 2026 | Datadog Press Release | Datadog Blog — Key Learnings | StepSecurity — tj-actions Analysis | Help Net Security — Supply Chain Risk

// related posts

Security Is a Developer Experience Feature Now

5 min read

PLG Broke the Day Your User Became an Agent

11 min read

Open Source Marketing in the AI Era: When Your License Can Be Rewritten in a Weekend

8 min read

Back to blog

DevSecOps CI/CD GitHub Actions supply chain security Datadog security marketing developer marketing shift smart

The 4% Problem: Why Your CI/CD Pipeline Is a Supply Chain Attack Waiting to Happen

Datadog found only 4% of orgs pin GitHub Actions to a full SHA. Everyone's covering the 87% stat. Nobody's talking about the one that matters more.

March 8, 20264 min readby Beatriz

The 4% Problem: Why Your CI/CD Pipeline Is a Supply Chain Attack Waiting to Happen

Server room with blinking lights

Photo by Taylor Vick on Unsplash

Datadog's State of DevSecOps 2026 report dropped February 26. The headline everyone picked up: 87% of organizations are running known exploitable vulnerabilities. Big number. Good press.

But it's not the number that should change how you think about security marketing. This is: only 4% of organizations pin their GitHub Actions to a full SHA. 71% leave them completely unpinned.

Why 4% Matters More Than 87%

The 87% stat is scary in a vague way. "Most companies have vulnerabilities" has been true for 20 years. It confirms what everyone believes. It doesn't change behavior.

That's the difference between security marketing that gets retweeted and security marketing that gets implemented.

The Attack Surface

Pinning method	What it means	% of orgs	Risk
Full SHA pin	Locked to exact commit hash — immutable	4%	Lowest — you get exactly what you audited
Version tag	Pinned to `v3` or `v3.1` — mutable tag	~25%	Medium — tag can be moved by maintainer or attacker
Unpinned	`@main` or no version — always latest	71%	Highest — upstream changes run in your pipeline automatically

This isn't theoretical. The tj-actions/changed-files compromise already exploited this exact pattern.

What This Means for Security Marketing

If you're marketing CI/CD security, supply chain security, or DevSecOps — the 4% stat is a gift.

2. It's underserved. Everyone is writing about the 87%. The marketing angle on GitHub Actions pinning — why this matters for how you message and sell security — is wide open.

"Shift Smart" Is the Reframe

Datadog's report and several DevSecOps trend pieces converge on the same idea: stop telling developers to "shift left." They've heard it for a decade.

"Shift smart" means:

Context-aware feedback — only 18% of critical vulns remain critical with runtime context. That destroys traditional vuln-count marketing.
In-the-workflow — surface risk in the IDE, the PR, the pipeline. Not a dashboard nobody checks.
Agentic remediation — AI that triages vulns, writes patches, runs regression tests, submits PRs. Same "fleet manager" pattern from Anthropic's agentic coding report.

If you're a security vendor and you're first to own "shift smart" messaging with data like the 4% stat backing it up, you claim positioning nobody else has.

The Content Play

Asset	Angle	Timing
Blog post	"The 4% Problem" — GitHub Actions pinning deep dive	This week — report still generating coverage
LinkedIn	Lead with 4%, contrast with the 87% everyone else covers	Same day as blog
Technical guide	How to audit and pin your GitHub Actions to full SHA	Evergreen — pair with blog for SEO
Talk pitch	"Why 96% of CI/CD Pipelines Are Trusting Strangers"	Q2 CFP season

The window is open. The 87% is getting the attention. The 4% is sitting there, specific and actionable, waiting for someone to build a campaign around it.

Be the marketer who gives developers something they can fix today — not another fear stat they'll forget by tomorrow.

Sources: Datadog State of DevSecOps 2026 | Datadog Press Release | Datadog Blog — Key Learnings | StepSecurity — tj-actions Analysis | Help Net Security — Supply Chain Risk

// related posts

Security Is a Developer Experience Feature Now

5 min read

PLG Broke the Day Your User Became an Agent

11 min read

Open Source Marketing in the AI Era: When Your License Can Be Rewritten in a Weekend

8 min read