| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | HIGH |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Pass | Online — requires --audit-pins |
| Auto-fix | ✗ |
What the check does
For each referenced action, Pipefort queries the GitHub Advisory Database (actions ecosystem) and flags the reference when its version falls inside a
published advisory’s vulnerable range. Runs only in the opt-in online pass.
The version compared is:
- the tag, when the action is pinned by tag (
@v1.2.3), or - the version named in the
# vXcomment, when pinned by SHA.