Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt

Use this file to discover all available pages before exploring further.

FieldValue
CategoryCICD-SEC-3
SeverityMEDIUM
OWASPCICD-SEC-3: Dependency Chain Abuse
Auto-fix✓ (what it does)

What the check does

Flags every step whose uses: value references a third-party action by anything other than a 40-character commit SHA:
  • owner/repo@v1
  • owner/repo@main
  • owner/repo/path@release
Local actions (./ or .github/) are ignored.

Why it matters

Tags and branches are mutable. If a maintainer (or an attacker who compromises their account) updates @v1 to point at a malicious commit, every workflow tracking @v1 runs that code on its next invocation — typically with access to repo secrets. Pinning to a commit SHA freezes the exact bytes you reviewed.

Vulnerable example

- uses: actions/checkout@v4              # ← mutable tag
- uses: some-org/some-action@main        # ← mutable branch

Safe alternative

Pin to a full commit SHA, with the original ref preserved as a comment for human-readable updates: 
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Auto-fix

--fix resolves the tag or branch to a commit SHA by calling the GitHub API, then rewrites the uses: value to owner/repo@<sha> with the original ref preserved as a trailing line comment: 
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
The fixer needs network access to api.github.com. If resolution fails (network error, deleted tag, rate limit), the action is left unchanged and a warning is printed to stderr.