TAINTLY REPORT

Repository: /snapshot/repoPlatform: githubGenerated: 2026-01-01T00:00:00

Executive summary

4
distinct risks
1
review-needed
5
total findings
4
files scanned
CRITICAL 1 HIGH 1 MEDIUM 1 LOW 2
Quick win
CRITICAL SEC3-GH-001: Action referenced by mutable tag auto-fixable via --fix
Location: .github/workflows/ci.yml:12
Fix: Pin the action to a full 40-character commit SHA.

Top distinct risks (4)

CRITICALexpl:highMutable dependency references1 finding · 1 file

Actions, reusable workflows, and includes referenced by tag or branch can be force-pushed to point at different code without any record in your repository's history. Pin every external dependency to a full 40-char commit SHA.

Rules: SEC3-GH-001
SevRuleLocationTitle
CRITICALSEC3-GH-001.github/workflows/ci.yml:12Action referenced by mutable tag
HIGHexpl:highAgent Credential Chain1 finding · 1 file
Rules: PSE-GH-001
SevRuleLocationTitle
HIGHPSE-GH-001.github/workflows/agent.yml:24AI agent with cloud-credential grant on a fork-reachable event
MEDIUMExcessive Permissions1 finding · 1 file
Rules: SEC2-GH-002
SevRuleLocationTitle
MEDIUMSEC2-GH-002.github/workflows/ci.yml:1Missing top-level permissions block
LOWFile size 60000 bytes exceeds scanner cap (50000)1 finding · 1 file
Rules: ENGINE-ERR
SevRuleLocationTitle
LOWENGINE-ERR.github/workflows/big.yml:0File size 60000 bytes exceeds scanner cap (50000)

Review-needed patterns (1)

LOWTaint To Run Block1 finding · 1 file
Rules: TAINT-GH-001
SevRuleLocationTitle
LOWTAINT-GH-001.github/workflows/ci.yml:42Possible taint flow

All findings (5)

Show flat list of every finding
SevRuleLocationTitle
CRITICALSEC3-GH-001.github/workflows/ci.yml:12Action referenced by mutable tag
HIGHPSE-GH-001.github/workflows/agent.yml:24AI agent with cloud-credential grant on a fork-reachable event
MEDIUMSEC2-GH-002.github/workflows/ci.yml:1Missing top-level permissions block
LOWTAINT-GH-001.github/workflows/ci.yml:42Possible taint flow
LOWENGINE-ERR.github/workflows/big.yml:0File size 60000 bytes exceeds scanner cap (50000)