Skip to main content
FieldValue
CategoryCICD-SEC-3
SeverityMEDIUM
ConfidenceMEDIUM
Personaauditor
PassOnline — automatic with a GitHub token, forced by --audit-pins, disabled by --offline
OWASPCICD-SEC-3: Dependency Chain Abuse
Auto-fix

What the check does

For an action pinned by commit SHA, checks whether that SHA is the tip of any tag in the upstream repository. If it isn’t — and the repo does publish tags — the pin is flagged as stale: you’re running unreleased or arbitrary code rather than a published release.

Why it matters

Pinning by SHA is the right defense against mutable tags. But a SHA that doesn’t correspond to any release means the code was never cut as a reviewable version — it might be a commit on a feature branch, a reverted change, or an arbitrary point in history. You lose the ability to reason about “what version am I running,” and drift accumulates silently. This is an auditor-tier check (informational for most teams); it’s tuned to stay quiet on repositories where tag data can’t be read.

Safe alternative

Re-pin to a commit SHA that corresponds to a published release tag, and record the tag in a trailing comment so reviewers can see the version:
- uses: acme/action@<sha> # v1.2.3