| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | HIGH |
| Confidence | HIGH |
| Pass | Online — automatic with a GitHub token, forced by --audit-pins, disabled by --offline |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Auto-fix | ✗ |
What the check does
For each third-partyuses: reference, asks the GitHub API whether the
upstream repository is archived (read-only). If it is, the action is
flagged.