Update api spec #40
zoo-github-actions-auth[bot]security-pr.yml Required
on: pull_request
semgrep-oss/scan
28s
zizmor
10s
Annotations
10 errors and 11 warnings
|
cache-poisoning:
.github/workflows/make-release.yml#L52
make-release.yml:52: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/make-release.yml#L47
make-release.yml:47: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/make-release.yml#L42
make-release.yml:42: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
template-injection:
.github/workflows/make-release.yml#L116
make-release.yml:116: code injection via template expansion: may expand into attacker-controllable code
|
|
template-injection:
.github/workflows/make-release.yml#L115
make-release.yml:115: code injection via template expansion: may expand into attacker-controllable code
|
|
template-injection:
.github/workflows/make-release.yml#L68
make-release.yml:68: code injection via template expansion: may expand into attacker-controllable code
|
|
excessive-permissions:
.github/workflows/make-release.yml#L6
make-release.yml:6: overly broad permissions: contents: write is overly broad at the workflow level
|
|
cache-poisoning:
.github/workflows/generate-website-docs.yml#L32
generate-website-docs.yml:32: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/generate-website-docs.yml#L27
generate-website-docs.yml:27: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/generate-website-docs.yml#L22
generate-website-docs.yml:22: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
artipacked:
.github/workflows/make-cross.yml#L26
make-cross.yml:26: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
excessive-permissions:
.github/workflows/generate-website-docs.yml#L14
generate-website-docs.yml:14: overly broad permissions: default permissions used due to no permissions: block
|
|
artipacked:
.github/workflows/generate-website-docs.yml#L52
generate-website-docs.yml:52: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/generate-website-docs.yml#L18
generate-website-docs.yml:18: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/cargo-test.yml#L26
cargo-test.yml:26: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/cargo-fmt.yml#L23
cargo-fmt.yml:23: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
excessive-permissions:
.github/workflows/cargo-clippy.yml#L15
cargo-clippy.yml:15: overly broad permissions: default permissions used due to no permissions: block
|
|
artipacked:
.github/workflows/cargo-clippy.yml#L19
cargo-clippy.yml:19: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
excessive-permissions:
.github/workflows/cargo-build-stable.yml#L22
cargo-build-stable.yml:22: overly broad permissions: default permissions used due to no permissions: block
|
|
artipacked:
.github/workflows/cargo-build-stable.yml#L26
cargo-build-stable.yml:26: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
zizmor
No file matched to [/home/runner/work/cli/cli/**/*requirements*.txt,/home/runner/work/cli/cli/**/*requirements*.in,/home/runner/work/cli/cli/**/*constraints*.txt,/home/runner/work/cli/cli/**/*constraints*.in,/home/runner/work/cli/cli/**/pyproject.toml,/home/runner/work/cli/cli/**/uv.lock,/home/runner/work/cli/cli/**/*.py.lock]. The cache will never get invalidated. Make sure you have checked out the target repository and configured the cache-dependency-glob input correctly.
|