| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | HIGH |
| Confidence | HIGH |
| Pass | Online — automatic with a GitHub token, forced by --audit-pins, disabled by --offline |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Auto-fix | ✗ |
What the check does
For a non-SHAuses: ref, checks whether that name exists in the upstream
repository as both a branch and a tag. If so, the reference is ambiguous.
Why it matters
When a ref name is overloaded, GitHub’s resolution order decides which oneuses: picks — and that order can be exploited. An attacker who can push a
branch named the same as a trusted tag may be able to shadow the intended tag,
running their branch’s code instead. Even without malice, an overloaded ref
makes it impossible to know which commit runs.