Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityHIGH
ConfidenceHIGH
PassOnline — automatic with a GitHub token, forced by --audit-pins, disabled by --offline
OWASPCICD-SEC-3: Dependency Chain Abuse
Auto-fix

What the check does

For each third-party uses: reference, asks the GitHub API whether the upstream repository is archived (read-only). If it is, the action is flagged.

Why it matters

An archived repository is frozen: no bug fixes, no security patches, no response to a disclosed vulnerability. Any flaw in an archived action is permanent, and archived projects are prime targets for repo-jacking if the owner ever deletes the account. Depending on unmaintained code in your build pipeline is a standing supply-chain risk.

Safe alternative

Migrate to a maintained fork or an actively-supported alternative, pin it to a commit SHA, and record the version in a trailing comment.