| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Pass | Online pass (--audit-pins) — though this audit itself is offline |
| Auto-fix | ✗ |
What the check does
Compares each action’sowner/repo against a bundled list of widely-used actions
and flags any reference that is exactly one edit away from one of them but
isn’t an exact match — e.g. actons/checkout vs actions/checkout. This audit
needs no network and ships in the --audit-pins pass alongside the online ones.
Why it matters
Attackers register names that look almost identical to popular actions, betting on a typo in auses: line. A single transposed or dropped character can route a
workflow — and its secrets and write token — to attacker-controlled code. This is
the CI/CD analog of package-registry typosquatting.
Vulnerable example
Safe alternative
This is a heuristic and can occasionally flag a legitimately-named action that
happens to be one character from a popular one. Confirm the owner/repo is the one
you intended; if it is, the finding is a false positive you can dismiss.