This repository exists to reproduce the bug ossf/scorecard#2189
It should report Unpinned third party github action for the reproduce-composte and reproduce-docker-path actions. It works automatically for docker actions with a Dockerfile (which is a more common use case).