Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityHIGH
ConfidenceHIGH
PassOnline — automatic with a GitHub token, forced by --audit-pins, disabled by --offline
OWASPCICD-SEC-3: Dependency Chain Abuse
Auto-fix

What the check does

For a non-SHA uses: ref, checks whether that name exists in the upstream repository as both a branch and a tag. If so, the reference is ambiguous.

Why it matters

When a ref name is overloaded, GitHub’s resolution order decides which one uses: picks — and that order can be exploited. An attacker who can push a branch named the same as a trusted tag may be able to shadow the intended tag, running their branch’s code instead. Even without malice, an overloaded ref makes it impossible to know which commit runs.
# ← "release" is both a branch and a tag upstream: which one runs?
- uses: acme/action@release

Safe alternative

Pin the action to a full commit SHA so resolution is unambiguous, or reference a ref name that isn’t overloaded:
- uses: acme/action@<sha> # v2.1.0