Skill Being Reviewed
skills/devsecops/pipeline-security
Review Focus
The skill maps CI/CD review to SLSA v1.0 and OWASP CI/CD risks, including flow control, IAM, dependency chain abuse, poisoned pipeline execution, credential hygiene, artifact integrity, and logging. The gap I found is third-party action provenance and pinning depth. A workflow can look scripted and hosted while still executing mutable third-party actions or containers that are not pinned, attested, or reviewed.
Coverage Gap
Please add checks for third-party action/container provenance:
- GitHub Actions should be pinned to immutable commit SHA or a trusted internally mirrored action, not floating tags.
- Docker actions and build containers should be pinned by digest where feasible.
- Reusable workflows should be version-pinned and reviewed like dependencies.
- Renovation/update policy should exist for pinned actions so security fixes are not missed.
- Artifact attestations should identify not only the build output but also the workflow/action inputs that produced it.
False Positive Analysis
Floating tags may be acceptable for low-impact lint-only workflows with read-only permissions and no secret access. The skill should prioritize workflows with write tokens, deployment credentials, release publishing, artifact signing, or production environment access.
Edge Cases
- First-party actions in the same organization can still be mutable if branch refs are used.
- Self-hosted runners raise the impact of mutable actions because runner state and network access may persist.
- A pinned action can still download an unpinned script at runtime.
- Cache restore keys can reintroduce untrusted state even when the action itself is pinned.
Suggested Acceptance Criteria
- Add immutable action/container pinning checks.
- Require review of reusable workflows as supply-chain dependencies.
- Add exception guidance for read-only, low-impact jobs.
- Tie artifact attestation review to workflow/action inputs, not only output digest.
Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal samik4184@gmail.com.
Skill Being Reviewed
skills/devsecops/pipeline-securityReview Focus
The skill maps CI/CD review to SLSA v1.0 and OWASP CI/CD risks, including flow control, IAM, dependency chain abuse, poisoned pipeline execution, credential hygiene, artifact integrity, and logging. The gap I found is third-party action provenance and pinning depth. A workflow can look scripted and hosted while still executing mutable third-party actions or containers that are not pinned, attested, or reviewed.
Coverage Gap
Please add checks for third-party action/container provenance:
False Positive Analysis
Floating tags may be acceptable for low-impact lint-only workflows with read-only permissions and no secret access. The skill should prioritize workflows with write tokens, deployment credentials, release publishing, artifact signing, or production environment access.
Edge Cases
Suggested Acceptance Criteria
Bounty Info
This is submitted as a skill review bounty claim. Preferred payout: PayPal
samik4184@gmail.com.