Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityHIGH
OWASPCICD-SEC-3: Dependency Chain Abuse
PassOnline — requires --audit-pins
Auto-fix

What the check does

For every action pinned by a 40-character commit SHA, Pipefort asks the GitHub API whether that commit exists in the claimed owner/repo. If GitHub returns 404, the commit isn’t part of that repository — the pin is an impostor. This audit only runs in the opt-in online pass (pipefort --audit-pins, or the web app’s scan with its installation token), because it needs network access.

Why it matters

Pinning by SHA is the recommended defense against mutable tags. But a SHA only protects you if it actually belongs to the repository you think you’re trusting. An attacker can push a commit to a fork and reference that fork’s SHA under the upstream name, or socially-engineer a pin to a commit that was never merged. The result looks pinned and reviewed while running code the upstream maintainers never published.

Vulnerable example

# SHA does not exist in actions/checkout — it came from a fork
- uses: actions/checkout@deadbeefdeadbeefdeadbeefdeadbeefdeadbeef

Safe alternative

Re-pin to a commit that is reachable from a real tag or branch in the upstream repository, and verify the action’s source before trusting it:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
GitHub occasionally serves fork commits from a shared object store, so this audit is high-signal but not infallible. Treat a finding as a prompt to verify the pin against the upstream repository’s tags and branches.