> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Possible typosquatted action

> An action whose owner/repo is one character away from a popular action.

| Field    | Value                                                                                                                              |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-3`                                                                                                                       |
| Severity | **MEDIUM**                                                                                                                         |
| OWASP    | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Pass     | Online pass ([`--audit-pins`](/cli/flags)) — though this audit itself is offline                                                   |
| Auto-fix | ✗                                                                                                                                  |

## What the check does

Compares each action's `owner/repo` against a bundled list of widely-used actions
and flags any reference that is exactly **one edit** away from one of them but
isn't an exact match — e.g. `actons/checkout` vs `actions/checkout`. This audit
needs no network and ships in the `--audit-pins` pass alongside the online ones.

## Why it matters

Attackers register names that look almost identical to popular actions, betting
on a typo in a `uses:` line. A single transposed or dropped character can route a
workflow — and its secrets and write token — to attacker-controlled code. This is
the CI/CD analog of package-registry typosquatting.

## Vulnerable example

```yaml theme={null}
- uses: actons/checkout@v4        # ← note: "actons", not "actions"
```

## Safe alternative

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```

<Note>
  This is a heuristic and can occasionally flag a legitimately-named action that
  happens to be one character from a popular one. Confirm the owner/repo is the one
  you intended; if it is, the finding is a false positive you can dismiss.
</Note>
