First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
2
Score
92/100
Findings (2)
Detects conditional execution based on CI environment variables combined with dangerous commands
${{ secrets.GITHUB_TOKEN + python -cPin all dependencies to exact versions with integrity hashes. Use lock files (package-lock.json, poetry.lock) and enable checksum verification in your package manager.
Likely FP if the match is documentation about dependency management best practices rather than actual unpinned dependency declarations.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
get --no-verbose --tries=1 --spider http:// + SettingAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.