Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityHIGH
OWASPCICD-SEC-3: Dependency Chain Abuse
PassOnline — requires --audit-pins
Auto-fix

What the check does

For each referenced action, Pipefort queries the GitHub Advisory Database (actions ecosystem) and flags the reference when its version falls inside a published advisory’s vulnerable range. Runs only in the opt-in online pass. The version compared is:
  • the tag, when the action is pinned by tag (@v1.2.3), or
  • the version named in the # vX comment, when pinned by SHA.
A SHA pin without a version comment can’t be matched to a version, so it is not checked by this audit — keep a version comment on SHA pins so this audit can protect them.

Why it matters

Actions are dependencies. When a vulnerability is disclosed for an action (token exfiltration, command injection, cache poisoning), every workflow still pinned to an affected version inherits the risk. This audit surfaces those before they’re exploited, the same way Dependabot does for package dependencies.

Vulnerable example

# a version inside a published GHSA vulnerable range
- uses: some-org/some-action@1.0.0

Safe alternative

Upgrade to a patched version (and re-pin to its commit SHA):
- uses: some-org/some-action@<sha-of-1.2.3> # v1.2.3
See the GHSA advisory linked in the finding for the affected ranges and the first patched version.