> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Impostor commit pin

> A SHA-pinned action whose commit doesn't exist in the claimed upstream repository.

| Field    | Value                                                                                                                              |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-3`                                                                                                                       |
| Severity | **HIGH**                                                                                                                           |
| OWASP    | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Pass     | Online — requires [`--audit-pins`](/cli/flags)                                                                                     |
| Auto-fix | ✗                                                                                                                                  |

## What the check does

For every action pinned by a 40-character commit SHA, Pipefort asks the GitHub
API whether that commit exists in the **claimed** `owner/repo`. If GitHub returns
404, the commit isn't part of that repository — the pin is an *impostor*.

This audit only runs in the opt-in online pass (`pipefort --audit-pins`, or the
web app's scan with its installation token), because it needs network access.

## Why it matters

Pinning by SHA is the recommended defense against [mutable tags](/rules/cicd-sec-3).
But a SHA only protects you if it actually belongs to the repository you think
you're trusting. An attacker can push a commit to a **fork** and reference that
fork's SHA under the upstream name, or socially-engineer a pin to a commit that
was never merged. The result looks pinned and reviewed while running code the
upstream maintainers never published.

## Vulnerable example

```yaml theme={null}
# SHA does not exist in actions/checkout — it came from a fork
- uses: actions/checkout@deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
```

## Safe alternative

Re-pin to a commit that is reachable from a real tag or branch in the upstream
repository, and verify the action's source before trusting it:

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```

<Note>
  GitHub occasionally serves fork commits from a shared object store, so this audit
  is high-signal but not infallible. Treat a finding as a prompt to verify the pin
  against the upstream repository's tags and branches.
</Note>
