BUG: Scorecard does not penalize unpinned third party actions in local composite / docker actions

[stefreak]

Describe the bug
It's possible to call third party actions or docker containers in local GitHub actions, and call the local GitHub actions from a workflow.

Also, as a developer of open source github actions, you should be able to use scorecard to scan your action.yml for issues.

Scorecard does not seem to verify GitHub action.yml in my tests.

Reproduction steps

Minimal reprository that reproduces this behaviour: https://github.com/stefreak/ossf-scorecard-repro-2189

1. Create a workflow like that:

on:
  push:

jobs:
  reproduce:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b  # v3.0.2
      - uses: ./.github/actions/reproduce-composite
      - uses: ./.github/actions/reproduce-docker-path

2. Create local file in the same repository: ./.github/actions/reproduce-composite/action.yml:

name: 'Reproduce scorecard bug scanning composite actions'
description: >
  Scorecard should detect that we are calling third party
  actions without pinning, but it doesn't
runs:
  using: "composite"
  steps:
    - name: Prepare helm
      uses: azure/setup-helm@v3

3. Create local file in the same repository: ./.github/actions/reproduce-docker-path/action.yml:

name: 'Reproduce scorecard bug scanning docker actions'
description: >
  Scorecard should detect that we are calling third party
  docker container without pinning, but it doesn't
runs:
  using: "docker"
  image: "docker://ubuntu:latest"
  args: ["echo", "Hello World"]

Expected behavior
All GitHub action YAML files that can call third party actions should be considered when scanning.

Additional context
This might be related to #2174 but I am not sure.

[arianvp]

The fact that Github Actions doesn't have a lock-file that locks all recursive action dependencies of composite actions is kind of meh. It makes it very iffy to use from a supply-chain security perspective as you're forced to audit the entire dep tree by hand. Would be really neat if ossf scorecard could do this automatically