Security Rules¶
Rule |
Severity |
Description |
|---|---|---|
critical |
Workflow uses permissions: write-all or does not restrict token scope. The GITHUB_TOKEN should follow least privilege — … |
|
critical |
An environment variable name matches common secret patterns (API_KEY, TOKEN, PASSWORD, SECRET) and its value appears to … |
|
critical |
Workflow triggers on pull_request_target and checks out the PR head ref. This grants untrusted code access to repository… |
|
high |
A third-party action (not from actions/ or github/) is used without pinning to a full commit SHA. This is a supply-chain… |
|
medium |
Workflow uses static cloud credentials (AWS_ACCESS_KEY_ID, etc.) stored as secrets instead of OIDC short-lived tokens. |
|
medium |
Job uploads artifacts without an explicit retention-days setting. GitHub Actions artifacts are publicly readable for 90 … |