Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityMEDIUM
OWASPCICD-SEC-3: Dependency Chain Abuse
PassOnline pass (--audit-pins) — though this audit itself is offline
Auto-fix

What the check does

Compares each action’s owner/repo against a bundled list of widely-used actions and flags any reference that is exactly one edit away from one of them but isn’t an exact match — e.g. actons/checkout vs actions/checkout. This audit needs no network and ships in the --audit-pins pass alongside the online ones.

Why it matters

Attackers register names that look almost identical to popular actions, betting on a typo in a uses: line. A single transposed or dropped character can route a workflow — and its secrets and write token — to attacker-controlled code. This is the CI/CD analog of package-registry typosquatting.

Vulnerable example

- uses: actons/checkout@v4        # ← note: "actons", not "actions"

Safe alternative

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
This is a heuristic and can occasionally flag a legitimately-named action that happens to be one character from a popular one. Confirm the owner/repo is the one you intended; if it is, the finding is a false positive you can dismiss.