Bump the major group across 1 directory with 9 updates #8
dependabot[bot]security-pr.yml Required
on: pull_request
semgrep-oss/scan
22s
zizmor
10s
Annotations
7 errors and 11 warnings
|
cache-poisoning:
.github/workflows/make-release.yml#L54
make-release.yml:54: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/make-release.yml#L49
make-release.yml:49: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
cache-poisoning:
.github/workflows/make-release.yml#L44
make-release.yml:44: runtime artifacts potentially vulnerable to a cache poisoning attack: cache enabled by default here
|
|
template-injection:
.github/workflows/make-release.yml#L118
make-release.yml:118: code injection via template expansion: may expand into attacker-controllable code
|
|
template-injection:
.github/workflows/make-release.yml#L117
make-release.yml:117: code injection via template expansion: may expand into attacker-controllable code
|
|
template-injection:
.github/workflows/make-release.yml#L70
make-release.yml:70: code injection via template expansion: may expand into attacker-controllable code
|
|
excessive-permissions:
.github/workflows/make-release.yml#L6
make-release.yml:6: overly broad permissions: contents: write is overly broad at the workflow level
|
|
excessive-permissions:
.github/workflows/update-spec-for-repos.yml#L16
update-spec-for-repos.yml:16: overly broad permissions: default permissions used due to no permissions: block
|
|
artipacked:
.github/workflows/update-spec-for-repos.yml#L31
update-spec-for-repos.yml:31: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/update-spec-for-repos.yml#L29
update-spec-for-repos.yml:29: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/make-release.yml#L94
make-release.yml:94: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/make-release.yml#L16
make-release.yml:16: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/cargo-test.yml#L31
cargo-test.yml:31: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/cargo-fmt.yml#L34
cargo-fmt.yml:34: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
excessive-permissions:
.github/workflows/cargo-clippy.yml#L22
cargo-clippy.yml:22: overly broad permissions: default permissions used due to no permissions: block
|
|
artipacked:
.github/workflows/cargo-clippy.yml#L33
cargo-clippy.yml:33: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
artipacked:
.github/workflows/cargo-build.yml#L34
cargo-build.yml:34: credential persistence through GitHub Actions artifacts: does not set persist-credentials: false
|
|
zizmor
No file matched to [/home/runner/work/machine-api/machine-api/**/*requirements*.txt,/home/runner/work/machine-api/machine-api/**/*requirements*.in,/home/runner/work/machine-api/machine-api/**/*constraints*.txt,/home/runner/work/machine-api/machine-api/**/*constraints*.in,/home/runner/work/machine-api/machine-api/**/pyproject.toml,/home/runner/work/machine-api/machine-api/**/uv.lock,/home/runner/work/machine-api/machine-api/**/*.py.lock]. The cache will never get invalidated. Make sure you have checked out the target repository and configured the cache-dependency-glob input correctly.
|