.gitignore
.gitleaks.toml
CHANGELOG.md
CONTRIBUTING.md
LICENSE
README.md
SECURITY.md
action.yml
pyproject.toml
.github/dependabot.yml
.github/workflows/ci.yml
.github/workflows/codeql.yml
.github/workflows/release.yml
.github/workflows/secret-scan.yml
.github/workflows/security.yml
.github/workflows/test-release.yml
.github/workflows/verify-examples.yml
benchmark/__init__.py
benchmark/__main__.py
benchmark/collector.py
benchmark/corpus_runner.py
benchmark/fixtures.py
benchmark/gitlab_collector.py
benchmark/jenkins_collector.py
benchmark/labeler.py
benchmark/runner.py
benchmark/taxonomy.py
benchmark/corpus/README.md
benchmark/corpus/classic_ppe.yml
benchmark/corpus/intentional_pr_target.yml
benchmark/corpus/labels.py
benchmark/corpus/mature_hardened.yml
benchmark/corpus/release_unpinned.yml
benchmark/corpus/typical_oss.yml
benchmark/real_world/README.md
benchmark/real_world/__init__.py
benchmark/real_world/__main__.py
benchmark/real_world/labels.py
benchmark/real_world/runner.py
benchmark/real_world/fixtures/ai-ecosystem/humanlayer-claude-review.yml
benchmark/real_world/fixtures/ai-ecosystem/pydantic-ai-bots.yml
benchmark/real_world/fixtures/gitlab/aphp-confit-release.gitlab-ci.yml
benchmark/real_world/fixtures/gitlab/cbbrowne-pgcmp.gitlab-ci.yml
benchmark/real_world/fixtures/jenkins/fjudith-wordpress-Jenkinsfile
benchmark/real_world/fixtures/jenkins/roryeckel-codex-Jenkinsfile
benchmark/real_world/fixtures/jenkins/snowflakedb-coverage-Jenkinsfile
docs/INTEGRATION.md
docs/REQUIREMENTS.md
docs/ROADMAP.md
docs/RULES.md
docs/SESSION_STATUS.md
docs/oracle/ARCHITECTURE.md
docs/oracle/DESIGN.md
docs/oracle/DESIGN_NOTE_ai_agent_posture.md
docs/oracle/EXTENSIONS.md
docs/oracle/FINDINGS.md
docs/oracle/GAPS.md
docs/oracle/REQUIREMENTS.md
examples/README.md
examples/01-multi-hop-env/README.md
examples/01-multi-hop-env/expected-rules.txt
examples/01-multi-hop-env/.github/workflows/vulnerable.yml
examples/02-github-env-bridge/README.md
examples/02-github-env-bridge/expected-rules.txt
examples/02-github-env-bridge/.github/workflows/vulnerable.yml
examples/03-agent-output-taint/README.md
examples/03-agent-output-taint/expected-rules.txt
examples/03-agent-output-taint/.github/workflows/vulnerable.yml
examples/04-cross-job-needs/README.md
examples/04-cross-job-needs/expected-rules.txt
examples/04-cross-job-needs/.github/workflows/vulnerable.yml
examples/05-fork-identity-guard-downgrade/README.md
examples/05-fork-identity-guard-downgrade/guarded/expected-rules.txt
examples/05-fork-identity-guard-downgrade/guarded/.github/workflows/build.yml
examples/05-fork-identity-guard-downgrade/vulnerable/expected-rules.txt
examples/05-fork-identity-guard-downgrade/vulnerable/.github/workflows/build.yml
examples/06-cache-prefix-collision/README.md
examples/06-cache-prefix-collision/expected-rules.txt
examples/06-cache-prefix-collision/.github/workflows/pr-test.yml
examples/06-cache-prefix-collision/.github/workflows/release.yml
examples/07-pull-request-target-checkout/README.md
examples/07-pull-request-target-checkout/expected-rules.txt
examples/07-pull-request-target-checkout/.github/workflows/_validate.yml
examples/07-pull-request-target-checkout/.github/workflows/caller.yml
examples/08-baseline-diff/README.md
examples/08-baseline-diff/after-fix/expected-rules.txt
examples/08-baseline-diff/after-fix/.github/workflows/release.yml
examples/08-baseline-diff/before-fix/expected-rules.txt
examples/08-baseline-diff/before-fix/.github/workflows/release.yml
scripts/inject_stride.py
scripts/render_readme.py
scripts/verify-examples.sh
taintly/__init__.py
taintly/__main__.py
taintly/baseline.py
taintly/config.py
taintly/engine.py
taintly/families.py
taintly/fixes.py
taintly/gitlab_taint.py
taintly/guides.py
taintly/iam_policy.py
taintly/models.py
taintly/pse_enrichment.py
taintly/scorer.py
taintly/taint.py
taintly/transitive.py
taintly/workflow_context.py
taintly/workflow_corpus.py
taintly/yaml_path.py
taintly.egg-info/PKG-INFO
taintly.egg-info/SOURCES.txt
taintly.egg-info/dependency_links.txt
taintly.egg-info/entry_points.txt
taintly.egg-info/requires.txt
taintly.egg-info/top_level.txt
taintly/ingestion/__init__.py
taintly/ingestion/github_api.py
taintly/ingestion/gitlab_api.py
taintly/parsers/__init__.py
taintly/parsers/common.py
taintly/parsers/github.py
taintly/parsers/gitlab.py
taintly/platform/__init__.py
taintly/platform/github_checks.py
taintly/platform/github_client.py
taintly/platform/gitlab_checks.py
taintly/platform/gitlab_client.py
taintly/platform/jenkins_checks.py
taintly/platform/jenkins_client.py
taintly/platform/token.py
taintly/reporters/__init__.py
taintly/reporters/_encoding.py
taintly/reporters/csv_report.py
taintly/reporters/html_report.py
taintly/reporters/json_report.py
taintly/reporters/sarif.py
taintly/reporters/score_text.py
taintly/reporters/text.py
taintly/rules/__init__.py
taintly/rules/_build_tools.py
taintly/rules/registry.py
taintly/rules/github/__init__.py
taintly/rules/github/ai.py
taintly/rules/github/cross_workflow.py
taintly/rules/github/lotp.py
taintly/rules/github/pse.py
taintly/rules/github/sec10_logging_visibility.py
taintly/rules/github/sec1_sec5_sec6_sec7_sec9.py
taintly/rules/github/sec2_sec6_iam_credentials.py
taintly/rules/github/sec3_sec4_supply_chain_ppe.py
taintly/rules/github/sec4_ppe_extended.py
taintly/rules/github/sec8_ungoverned_services.py
taintly/rules/github/taint.py
taintly/rules/gitlab/__init__.py
taintly/rules/gitlab/ai.py
taintly/rules/gitlab/lotp.py
taintly/rules/gitlab/sec1_sec4_sec6_sec7_sec9.py
taintly/rules/gitlab/sec2_sec4_sec6_sec8_sec9_sec10.py
taintly/rules/gitlab/sec3_sec6_supply_chain_creds.py
taintly/rules/gitlab/sec8_ungoverned_services.py
taintly/rules/gitlab/taint.py
taintly/rules/jenkins/__init__.py
taintly/rules/jenkins/ai.py
taintly/rules/jenkins/lotp.py
taintly/rules/jenkins/sec_jenkins.py
taintly/rules/jenkins/taint.py
taintly/testing/__init__.py
taintly/testing/integration_tests.py
taintly/testing/mutations.py
taintly/testing/self_test.py
taintly/testing/fixtures/README.md
taintly/testing/fixtures/github_all_findings.yml
taintly/testing/fixtures/github_prt_checkout.yml
taintly/testing/fixtures/github_unpinned_actions.yml
taintly/testing/fixtures/gitlab_all_findings.yml
templates/taintly.gitlab-ci.yml
templates/taintly/README.md
templates/taintly/template.yml
tests/__init__.py
tests/conftest.py
tests/benchmark/__init__.py
tests/benchmark/conftest.py
tests/benchmark/test_fixtures.py
tests/evasion/README.md
tests/evasion/anchor_merge_inject.yml
tests/evasion/base64_shell.yml
tests/evasion/cross_job_output_routing.yml
tests/evasion/github_env_heredoc.yml
tests/evasion/orphaned_sha.yml
tests/evasion/shell_export_unsecure.yml
tests/evasion/test_evasion.py
tests/evasion/variable_indirection.yml
tests/fixtures/github/edge_cases/crlf_endings.yml
tests/fixtures/github/edge_cases/deeply_nested.yml
tests/fixtures/github/edge_cases/empty.yml
tests/fixtures/github/safe/fully_hardened.yml
tests/fixtures/github/vulnerable/ai_agent_cli_on_pr.yml
tests/fixtures/github/vulnerable/ai_agent_dangerous_flags.yml
tests/fixtures/github/vulnerable/ai_agent_on_pr.yml
tests/fixtures/github/vulnerable/ai_agent_output_to_shell.yml
tests/fixtures/github/vulnerable/ai_agent_with_pr_checkout.yml
tests/fixtures/github/vulnerable/ai_hf_no_revision.yml
tests/fixtures/github/vulnerable/ai_joblib_load.yml
tests/fixtures/github/vulnerable/ai_llm_output_to_shell.yml
tests/fixtures/github/vulnerable/ai_mcp_privileged.yml
tests/fixtures/github/vulnerable/ai_mcp_unpinned.yml
tests/fixtures/github/vulnerable/ai_no_model_scanner.yml
tests/fixtures/github/vulnerable/ai_prompt_injection_surface.yml
tests/fixtures/github/vulnerable/ai_torch_load_unsafe.yml
tests/fixtures/github/vulnerable/ai_trust_remote_code.yml
tests/fixtures/github/vulnerable/injection_run_block.yml
tests/fixtures/github/vulnerable/ppe_classic.yml
tests/fixtures/github/vulnerable/taint_agent_output.yml
tests/fixtures/github/vulnerable/write_all_permissions.yml
tests/fixtures/gitlab/safe/fully_hardened.yml
tests/fixtures/gitlab/vulnerable/ai_agent_cli_on_mr.yml
tests/fixtures/gitlab/vulnerable/ai_hf_no_revision.yml
tests/fixtures/gitlab/vulnerable/ai_joblib_load.yml
tests/fixtures/gitlab/vulnerable/ai_llm_output_to_shell.yml
tests/fixtures/gitlab/vulnerable/ai_no_model_scanner.yml
tests/fixtures/gitlab/vulnerable/ai_prompt_injection_surface.yml
tests/fixtures/gitlab/vulnerable/ai_torch_load_unsafe.yml
tests/fixtures/gitlab/vulnerable/ai_trust_remote_code.yml
tests/fixtures/gitlab/vulnerable/artifacts_no_access.yml
tests/fixtures/gitlab/vulnerable/cache_no_key.yml
tests/fixtures/gitlab/vulnerable/debug_trace.yml
tests/fixtures/gitlab/vulnerable/deploy_no_resource_group.yml
tests/fixtures/gitlab/vulnerable/dind_no_tls.yml
tests/fixtures/gitlab/vulnerable/docker_auth_config.yml
tests/fixtures/gitlab/vulnerable/download_no_checksum.yml
tests/fixtures/gitlab/vulnerable/long_lived_cloud_creds.yml
tests/fixtures/gitlab/vulnerable/mr_pipeline_docker_push.yml
tests/fixtures/gitlab/vulnerable/pipeline_source_only.yml
tests/fixtures/gitlab/vulnerable/print_job_token.yml
tests/fixtures/gitlab/vulnerable/prod_no_approval.yml
tests/fixtures/gitlab/vulnerable/registry_override.yml
tests/fixtures/gitlab/vulnerable/security_gate_allow_failure.yml
tests/fixtures/gitlab/vulnerable/service_latest.yml
tests/fixtures/gitlab/vulnerable/trigger_with_job_token.yml
tests/fixtures/gitlab/vulnerable/unquoted_commit_message.yml
tests/fixtures/gitlab/vulnerable/unquoted_ref_name.yml
tests/fixtures/gitlab/vulnerable/wget_pipe_bash.yml
tests/fixtures/jenkins/realistic/java_library_ci.Jenkinsfile
tests/fixtures/jenkins/realistic/plugin_ci_build.Jenkinsfile
tests/fixtures/jenkins/realistic/release_pipeline.Jenkinsfile
tests/fixtures/jenkins/realistic/web_app_deploy.Jenkinsfile
tests/fixtures/jenkins/safe/Jenkinsfile
tests/fixtures/jenkins/vulnerable/agent_any.Jenkinsfile
tests/fixtures/jenkins/vulnerable/ai_joblib_load.Jenkinsfile
tests/fixtures/jenkins/vulnerable/ai_llm_output_to_shell.Jenkinsfile
tests/fixtures/jenkins/vulnerable/ai_torch_load_unsafe.Jenkinsfile
tests/fixtures/jenkins/vulnerable/ai_trust_remote_code.Jenkinsfile
tests/fixtures/jenkins/vulnerable/archive_no_fingerprint.Jenkinsfile
tests/fixtures/jenkins/vulnerable/bat_interpolation.Jenkinsfile
tests/fixtures/jenkins/vulnerable/cloud_creds_env.Jenkinsfile
tests/fixtures/jenkins/vulnerable/credential_echo.Jenkinsfile
tests/fixtures/jenkins/vulnerable/credentials_from_params.Jenkinsfile
tests/fixtures/jenkins/vulnerable/curl_insecure.Jenkinsfile
tests/fixtures/jenkins/vulnerable/curl_pipe_bash.Jenkinsfile
tests/fixtures/jenkins/vulnerable/docker_image_latest_step.Jenkinsfile
tests/fixtures/jenkins/vulnerable/docker_latest.Jenkinsfile
tests/fixtures/jenkins/vulnerable/docker_registry_null_creds.Jenkinsfile
tests/fixtures/jenkins/vulnerable/dynamic_groovy_eval.Jenkinsfile
tests/fixtures/jenkins/vulnerable/grab_no_version.Jenkinsfile
tests/fixtures/jenkins/vulnerable/hardcoded_credential.Jenkinsfile
tests/fixtures/jenkins/vulnerable/http_checkout.Jenkinsfile
tests/fixtures/jenkins/vulnerable/input_no_submitter.Jenkinsfile
tests/fixtures/jenkins/vulnerable/no_disable_concurrent.Jenkinsfile
tests/fixtures/jenkins/vulnerable/no_post_always.Jenkinsfile
tests/fixtures/jenkins/vulnerable/no_timeout.Jenkinsfile
tests/fixtures/jenkins/vulnerable/node_no_label.Jenkinsfile
tests/fixtures/jenkins/vulnerable/params_injection.Jenkinsfile
tests/fixtures/jenkins/vulnerable/password_param.Jenkinsfile
tests/fixtures/jenkins/vulnerable/pr_author_injection.Jenkinsfile
tests/fixtures/jenkins/vulnerable/println_credential.Jenkinsfile
tests/fixtures/jenkins/vulnerable/prod_deploy_no_input.Jenkinsfile
tests/fixtures/jenkins/vulnerable/remote_groovy_script.Jenkinsfile
tests/fixtures/jenkins/vulnerable/scm_env_injection.Jenkinsfile
tests/fixtures/jenkins/vulnerable/unpinned_shared_library.Jenkinsfile
tests/fixtures/jenkins/vulnerable/wget_no_checksum.Jenkinsfile
tests/fixtures/jenkins/vulnerable/writefile_private_key.Jenkinsfile
tests/fixtures/precision/pinned_reusable_minimal.yml
tests/fixtures/precision/placeholder_password.yml
tests/fixtures/precision/pr_target_benign.yml
tests/fixtures/precision/unpinned_release.yml
tests/fixtures/precision/workflow_dispatch_safe_input.yml
tests/fuzz/__init__.py
tests/fuzz/test_fuzz_yaml.py
tests/integration/__init__.py
tests/integration/conftest.py
tests/integration/oracle-coverage.json
tests/integration/test_all_rules_clean.py
tests/integration/test_ci_integration.py
tests/integration/test_grammar_oracle.py
tests/integration/test_grammar_oracle_mutations.py
tests/integration/test_grammar_oracle_properties.py
tests/integration/test_real_world_regression.py
tests/unit/__init__.py
tests/unit/test_audit_findings.py
tests/unit/test_baseline.py
tests/unit/test_build_tools.py
tests/unit/test_config_suppressions.py
tests/unit/test_corpus.py
tests/unit/test_cross_workflow_rules.py
tests/unit/test_detection_improvements.py
tests/unit/test_engine.py
tests/unit/test_families.py
tests/unit/test_fixes.py
tests/unit/test_gitlab_taint.py
tests/unit/test_html_report.py
tests/unit/test_iam_policy.py
tests/unit/test_invariant_properties.py
tests/unit/test_lotp.py
tests/unit/test_models.py
tests/unit/test_parsers.py
tests/unit/test_pattern_properties.py
tests/unit/test_platform_github.py
tests/unit/test_platform_gitlab.py
tests/unit/test_platform_token.py
tests/unit/test_precision_fixtures.py
tests/unit/test_pse_enrichment.py
tests/unit/test_readme_counts.py
tests/unit/test_reporter_snapshots.py
tests/unit/test_reporters.py
tests/unit/test_scorer_v2.py
tests/unit/test_taint.py
tests/unit/test_workflow_context.py
tests/unit/test_workflow_corpus.py
tests/unit/test_yaml_path.py
tests/unit/_snapshots/reporters/report.csv
tests/unit/_snapshots/reporters/report.html
tests/unit/_snapshots/reporters/report.json
tests/unit/_snapshots/reporters/report.sarif.json
tests/unit/_snapshots/reporters/report.txt