Git reference without commit SHA

AI security governance · MCP security

Severity

medium

What it is

A Git URL references a branch or tag instead of a full commit SHA, which can be force-pushed.

How Igris detects it

Igris's Version Pinning Checker flags this during MCP security scans of your configuration.

References

Related MCP security rules

Secure your AI estate with Igris