Add security workflows #9
maxammannAnnotations
3 errors and 4 warnings
|
zizmor
Process completed with exit code 14.
|
|
unpinned-images:
.github/workflows/security-pr.yml#L21
security-pr.yml:21: unpinned image references: container image is unpinned
|
|
template-injection:
.github/workflows/security-default-branch.yml#L36
security-default-branch.yml:36: code injection via template expansion: may expand into attacker-controllable code
|
|
artipacked:
.github/workflows/security-pr.yml#L24
security-pr.yml:24: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/security-default-branch.yml#L25
security-default-branch.yml:25: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
overprovisioned-secrets:
.github/workflows/gha-secret-extract.yaml#L14
gha-secret-extract.yaml:14: excessively provisioned secrets: injects the entire secrets context into the runner
|
|
zizmor
No file matched to [/home/runner/work/gha-workflows/gha-workflows/**/*requirements*.txt,/home/runner/work/gha-workflows/gha-workflows/**/*requirements*.in,/home/runner/work/gha-workflows/gha-workflows/**/*constraints*.txt,/home/runner/work/gha-workflows/gha-workflows/**/*constraints*.in,/home/runner/work/gha-workflows/gha-workflows/**/pyproject.toml,/home/runner/work/gha-workflows/gha-workflows/**/uv.lock,/home/runner/work/gha-workflows/gha-workflows/**/*.py.lock]. The cache will never get invalidated. Make sure you have checked out the target repository and configured the cache-dependency-glob input correctly.
|