The results are quite sobering. Many of the recent supply chain attacks were preventable, since zizmor is pointing out the exact weaknesses that were used: unpinned dependencies, template injection, ... and many more.
Happy for any input and feedback on the data and presentation, as well as ideas on how we use this to improve the security posture of our open source community!
In case you want to leave an issue or star: https://github.com/datosh/pinned-actions