| Field | Value |
|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Auto-fix | ✓ (what it does) |
What the check does
Flags every step whose uses: value references a third-party action by anything other than a 40-character commit SHA:
owner/repo@v1
owner/repo@main
owner/repo/path@release
Local actions (./ or .github/) are ignored.
Why it matters
Tags and branches are mutable. If a maintainer (or an attacker who compromises their account) updates @v1 to point at a malicious commit, every workflow tracking @v1 runs that code on its next invocation — typically with access to repo secrets.
Pinning to a commit SHA freezes the exact bytes you reviewed.
Vulnerable example
- uses: actions/checkout@v4 # ← mutable tag
- uses: some-org/some-action@main # ← mutable branch
Safe alternative
Pin to a full commit SHA, with the original ref preserved as a comment for human-readable updates:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Auto-fix
--fix resolves the tag or branch to a commit SHA by calling the GitHub API, then rewrites the uses: value to owner/repo@<sha> with the original ref preserved as a trailing line comment:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
The fixer needs network access to api.github.com. If resolution fails (network error, deleted tag, rate limit), the action is left unchanged and a warning is printed to stderr.