First Seen
Feb 19, 2026
Last Scanned
Feb 22, 2026
Findings
8
Score
100/100
Findings (8)
Detects system-level package installation via brew, apt, yum, or dnf
brew install gPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects go install fetching and compiling arbitrary Go packages
go install github.com/gitleaks/gitleaks/v8@Pin Go install targets to a specific version (e.g., go install example.com/tool@v1.2.3). Avoid @latest as it fetches whatever is currently published.
Likely FP if the go install target is a well-known tool (e.g., golang.org/x/ packages) pinned to a specific version in documentation.
Detects system-level package installation via brew, apt, yum, or dnf
brew install tPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects pulling and running Docker images from external registries
docker pull trufflesecurity/trufflehogPin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.
Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.
Detects system-level package installation via brew, apt, yum, or dnf
brew install gPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.
Detects git clone of repositories followed by execution of cloned content
git clone https://github.com/awslabs/git-secrets.git + make installReview the dependency tree for nested or transitive dependencies that introduce risk. Use tools like npm audit or pip-audit to identify known vulnerabilities in the dependency chain.
Likely FP if the flagged dependency is a standard, widely-used library with no known vulnerabilities at the time of scanning.
Detects cron jobs or scheduled tasks that execute commands
crontab -eValidate cron expressions and scheduled commands against an allowlist. Ensure scheduled tasks cannot be modified by untrusted input and log all cron job changes.
Likely FP if the match is a documentation reference to crontab syntax or a short mention of cron in a description of scheduling concepts.
Detects system-level package installation via brew, apt, yum, or dnf
brew install bPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.