> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Pinned SHA does not match its version comment

> A SHA-pinned action whose # vX comment names a tag that resolves to a different commit.

| Field    | Value                                                                                                                              |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-3`                                                                                                                       |
| Severity | **MEDIUM**                                                                                                                         |
| OWASP    | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Pass     | Online — requires [`--audit-pins`](/cli/flags)                                                                                     |
| Auto-fix | ✗                                                                                                                                  |

## What the check does

The recommended way to pin an action is a commit SHA with the human-readable
version in a trailing comment:

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```

This audit resolves the tag named in the comment (`v4.1.1`) via the GitHub API
and checks that it points at the **same** commit you pinned. If they differ, the
comment is misleading. Runs only in the opt-in online pass.

## Why it matters

Reviewers trust the comment. If the pinned SHA and the `# vX` comment disagree,
someone reading the workflow believes they're getting the version in the comment
while a different commit actually executes. That gap is exactly where a
sneak-in or a stale, vulnerable pin hides.

## Vulnerable example

```yaml theme={null}
# comment says v4, but this SHA is actually v2 (or an unrelated commit)
- uses: actions/checkout@<sha-of-v2> # v4
```

## Safe alternative

Make the comment tell the truth — either re-pin to the SHA the tag resolves to,
or correct the comment to match the pinned commit:

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```
