> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Action ref exists as both a branch and a tag

> An action's ref resolves ambiguously upstream — the same name is both a branch and a tag.

| Field      | Value                                                                                                                              |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category   | `CICD-SEC-3`                                                                                                                       |
| Severity   | **HIGH**                                                                                                                           |
| Confidence | HIGH                                                                                                                               |
| Pass       | Online — automatic with a GitHub token, forced by [`--audit-pins`](/cli/flags), disabled by `--offline`                            |
| OWASP      | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Auto-fix   | ✗                                                                                                                                  |

## What the check does

For a non-SHA `uses:` ref, checks whether that name exists in the upstream
repository as **both a branch and a tag**. If so, the reference is ambiguous.

## Why it matters

When a ref name is overloaded, GitHub's resolution order decides which one
`uses:` picks — and that order can be exploited. An attacker who can push a
branch named the same as a trusted tag may be able to shadow the intended tag,
running their branch's code instead. Even without malice, an overloaded ref
makes it impossible to know which commit runs.

```yaml theme={null}
# ← "release" is both a branch and a tag upstream: which one runs?
- uses: acme/action@release
```

## Safe alternative

Pin the action to a full commit SHA so resolution is unambiguous, or reference
a ref name that isn't overloaded:

```yaml theme={null}
- uses: acme/action@<sha> # v2.1.0
```
