Security Rules
==============

.. toctree::
   :maxdepth: 1
   :hidden:

   excessive_token_permissions
   hardcoded_secrets
   oidc_not_used
   pr_target_injection
   untrusted_actions
   world_writable_artifact

.. list-table::
   :header-rows: 1
   :widths: 30 15 55

   * - Rule
     - Severity
     - Description
   * - :doc:`excessive_token_permissions`
     - critical
     - Workflow uses permissions: write-all or does not restrict token scope. The GITHUB_TOKEN should follow least privilege — ...
   * - :doc:`hardcoded_secrets`
     - critical
     - An environment variable name matches common secret patterns (API_KEY, TOKEN, PASSWORD, SECRET) and its value appears to ...
   * - :doc:`pr_target_injection`
     - critical
     - Workflow triggers on pull_request_target and checks out the PR head ref. This grants untrusted code access to repository...
   * - :doc:`untrusted_actions`
     - high
     - A third-party action (not from actions/ or github/) is used without pinning to a full commit SHA. This is a supply-chain...
   * - :doc:`oidc_not_used`
     - medium
     - Workflow uses static cloud credentials (AWS_ACCESS_KEY_ID, etc.) stored as secrets instead of OIDC short-lived tokens.
   * - :doc:`world_writable_artifact`
     - medium
     - Job uploads artifacts without an explicit retention-days setting. GitHub Actions artifacts are publicly readable for 90 ...