| Field | Value |
|---|---|
| Category | CICD-SEC-3 |
| Severity | MEDIUM |
| Confidence | MEDIUM |
| Persona | auditor |
| Pass | Online — automatic with a GitHub token, forced by --audit-pins, disabled by --offline |
| OWASP | CICD-SEC-3: Dependency Chain Abuse |
| Auto-fix | ✗ |
Rules reference
CICD-SEC-3 — Pinned SHA is not any released tag
An action is pinned to a commit that is not the tip of any tag — unreleased or arbitrary code.