> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Pinned SHA is not any released tag

> An action is pinned to a commit that is not the tip of any tag — unreleased or arbitrary code.

| Field      | Value                                                                                                                              |
| ---------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category   | `CICD-SEC-3`                                                                                                                       |
| Severity   | **MEDIUM**                                                                                                                         |
| Confidence | MEDIUM                                                                                                                             |
| Persona    | auditor                                                                                                                            |
| Pass       | Online — automatic with a GitHub token, forced by [`--audit-pins`](/cli/flags), disabled by `--offline`                            |
| OWASP      | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Auto-fix   | ✗                                                                                                                                  |

## What the check does

For an action pinned by commit SHA, checks whether that SHA is the tip of any
**tag** in the upstream repository. If it isn't — and the repo does publish
tags — the pin is flagged as stale: you're running unreleased or arbitrary code
rather than a published release.

## Why it matters

Pinning by SHA is the right defense against [mutable tags](/rules/cicd-sec-3).
But a SHA that doesn't correspond to any release means the code was never cut as
a reviewable version — it might be a commit on a feature branch, a reverted
change, or an arbitrary point in history. You lose the ability to reason about
"what version am I running," and drift accumulates silently.

This is an **auditor-tier** check (informational for most teams); it's tuned to
stay quiet on repositories where tag data can't be read.

## Safe alternative

Re-pin to a commit SHA that corresponds to a published release tag, and record
the tag in a trailing comment so reviewers can see the version:

```yaml theme={null}
- uses: acme/action@<sha> # v1.2.3
```
