| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | HIGH |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Pass | Online — requires --audit-pins |
| Auto-fix | ✗ |
What the check does
For every action pinned by a 40-character commit SHA, Pipefort asks the GitHub API whether that commit exists in the claimedowner/repo. If GitHub returns
404, the commit isn’t part of that repository — the pin is an impostor.
This audit only runs in the opt-in online pass (pipefort --audit-pins, or the
web app’s scan with its installation token), because it needs network access.
Why it matters
Pinning by SHA is the recommended defense against mutable tags. But a SHA only protects you if it actually belongs to the repository you think you’re trusting. An attacker can push a commit to a fork and reference that fork’s SHA under the upstream name, or socially-engineer a pin to a commit that was never merged. The result looks pinned and reviewed while running code the upstream maintainers never published.Vulnerable example
Safe alternative
Re-pin to a commit that is reachable from a real tag or branch in the upstream repository, and verify the action’s source before trusting it:GitHub occasionally serves fork commits from a shared object store, so this audit
is high-signal but not infallible. Treat a finding as a prompt to verify the pin
against the upstream repository’s tags and branches.