> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-5 — Action not permitted by forbidden-uses policy

> A uses: reference violates the repository's allow/deny action policy.

| Field      | Value                                                                                                                    |
| ---------- | ------------------------------------------------------------------------------------------------------------------------ |
| Category   | `CICD-SEC-5`                                                                                                             |
| Severity   | **HIGH**                                                                                                                 |
| Confidence | HIGH                                                                                                                     |
| OWASP      | [CICD-SEC-5: Insufficient PBAC](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-05-Insufficient-PBAC) |
| Auto-fix   | ✗                                                                                                                        |

## What the check does

Enforces a repository's **action allow/deny policy** from the `forbidden-uses`
block in [`.pipefort.yml`](/cli/configuration). It matches every `uses:`
reference's `owner/repo` (ignoring the `@ref`) against your patterns and flags
violations. The rule is **silent** unless a policy is configured.

```yaml theme={null}
# .pipefort.yml
forbidden-uses:
  deny: ["sketchy-org/*"]        # forbid these
  # — or —
  allow: ["actions/*", "myorg/*"] # permit only these
```

`allow` and `deny` are mutually exclusive; `allow` wins if both are present.
Patterns are globs (`someorg/*`, `actions/checkout`); a bare owner (`someorg`)
matches its whole namespace.

## Why it matters

Least-privilege for CI means constraining which third-party actions can run in
your pipeline at all. An allow list turns "any action on the internet" into "a
vetted set," shrinking the supply-chain attack surface; a deny list blocks
actions you've decided are untrustworthy. GitHub's own org-level allowlist does
this at the platform layer; `forbidden-uses` gives you the same control in-repo
and in the CLI, enforceable in CI before a merge.

## Safe alternative

Adopt an allow list of vetted actions (pinned to SHAs), and pair it with
GitHub's org-level [Actions permissions policy](/rules/cicd-sec-5-actions-all-allowed)
for defense in depth.
