> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-3 — Unpinned third-party action

> Tag and branch references are mutable. Pin third-party actions to a full commit SHA.

| Field    | Value                                                                                                                              |
| -------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-3`                                                                                                                       |
| Severity | **MEDIUM**                                                                                                                         |
| OWASP    | [CICD-SEC-3: Dependency Chain Abuse](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-03-Dependency-Chain-Abuse) |
| Auto-fix | ✓ ([what it does](#auto-fix))                                                                                                      |

## What the check does

Flags every step whose `uses:` value references a third-party action by **anything other than a 40-character commit SHA**:

* `owner/repo@v1`
* `owner/repo@main`
* `owner/repo/path@release`

Local actions (`./` or `.github/`) are ignored.

## Why it matters

Tags and branches are mutable. If a maintainer (or an attacker who compromises their account) updates `@v1` to point at a malicious commit, every workflow tracking `@v1` runs that code on its next invocation — typically with access to repo secrets.

Pinning to a commit SHA freezes the exact bytes you reviewed.

## Vulnerable example

```yaml theme={null}
- uses: actions/checkout@v4              # ← mutable tag
- uses: some-org/some-action@main        # ← mutable branch
```

## Safe alternative

Pin to a full commit SHA, with the original ref preserved as a comment for human-readable updates:

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
```

## Auto-fix

`--fix` resolves the tag or branch to a commit SHA by calling the GitHub API, then rewrites the `uses:` value to `owner/repo@<sha>` with the original ref preserved as a trailing line comment:

```yaml theme={null}
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
```

<Warning>
  The fixer needs network access to `api.github.com`. If resolution fails (network error, deleted tag, rate limit), the action is left unchanged and a warning is printed to stderr.
</Warning>
