First Seen
Feb 18, 2026
Last Scanned
Feb 20, 2026
Findings
4
Score
76/100
Findings (4)
Detects conditional execution based on CI environment variables combined with dangerous commands
${{ secrets.GITHUB_TOKEN + child_processPin all dependencies to exact versions with integrity hashes. Use lock files (package-lock.json, poetry.lock) and enable checksum verification in your package manager.
Likely FP if the match is documentation about dependency management best practices rather than actual unpinned dependency declarations.
Detects Node.js child_process methods for command execution
execSync('Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.
Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).
Detects Node.js child_process methods for command execution
execSync(`Use execFile() or spawn() with explicit argument arrays instead of exec() with a shell string. Validate all inputs before passing to child_process methods.
Likely FP if the match is in a README code example or package.json script field that runs a well-known CLI tool (e.g., eslint, tsc).
Detects system-level package installation via brew, apt, yum, or dnf
apt-get install kPin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.
Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.