Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityMEDIUM
OWASPCICD-SEC-3: Dependency Chain Abuse
PassOnline — requires --audit-pins
Auto-fix

What the check does

The recommended way to pin an action is a commit SHA with the human-readable version in a trailing comment:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
This audit resolves the tag named in the comment (v4.1.1) via the GitHub API and checks that it points at the same commit you pinned. If they differ, the comment is misleading. Runs only in the opt-in online pass.

Why it matters

Reviewers trust the comment. If the pinned SHA and the # vX comment disagree, someone reading the workflow believes they’re getting the version in the comment while a different commit actually executes. That gap is exactly where a sneak-in or a stale, vulnerable pin hides.

Vulnerable example

# comment says v4, but this SHA is actually v2 (or an unrelated commit)
- uses: actions/checkout@<sha-of-v2> # v4

Safe alternative

Make the comment tell the truth — either re-pin to the SHA the tag resolves to, or correct the comment to match the pinned commit:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1