| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Pass | Online — requires --audit-pins |
| Auto-fix | ✗ |
What the check does
The recommended way to pin an action is a commit SHA with the human-readable version in a trailing comment:v4.1.1) via the GitHub API
and checks that it points at the same commit you pinned. If they differ, the
comment is misleading. Runs only in the opt-in online pass.
Why it matters
Reviewers trust the comment. If the pinned SHA and the# vX comment disagree,
someone reading the workflow believes they’re getting the version in the comment
while a different commit actually executes. That gap is exactly where a
sneak-in or a stale, vulnerable pin hides.