Apply suggestions from code review

martincostello · adityasharad · web-flow · commit 979d604bf602 · 2025-02-14T17:21:24.000Z
Co-authored-by: Aditya Sharad &lt;6874315+adityasharad@users.noreply.github.com&gt;
diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
@@ -40,7 +40,7 @@ where
   ) and
   uses.getVersion() = version and
   not isTrustedOwner(nwo) and
-  not if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version) and
+  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
   not isImmutableAction(uses, nwo)
 select uses.getCalleeNode(),
   "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
diff --git a/actions/ql/src/change-notes/2025-02-14-docker-false-positives.md b/actions/ql/src/change-notes/2025-02-14-docker-false-positives.md
@@ -2,4 +2,4 @@
 category: minorAnalysis
 ---
 
-* Fix CWE-829 false positives for Docker GitHub actions pinned by the container's SHA256 digest.
+* Fixed false positives in the query `actions/unpinned-tag` (CWE-829), which will no longer flag uses of Docker-based GitHub actions pinned by the container's SHA256 digest.
