gitlab-cicd-pipeline

skills-sh:aj-geddes_useful-ai-prompts__gitlab-cicd-pipeline

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Git clone and execute chain SUPPLY_012

supply-chain L113

Detects git clone of repositories followed by execution of cloned content

git clone https://github.com/aquasecurity/trivy.git + cd backend && npm run

FIX

Review the dependency tree for nested or transitive dependencies that introduce risk. Use tools like npm audit or pip-audit to identify known vulnerabilities in the dependency chain.

FP?

Likely FP if the flagged dependency is a standard, widely-used library with no known vulnerabilities at the time of scanning.

LOW

Global package installation EXTDL_004

external-download L311

Detects global installation of packages which affects the host system

npm install -g s

FIX

Replace npm install -g with a local install (npm install --save-dev) or use npx with a pinned version. Global installs modify the system and risk supply chain attacks.

FP?

Likely FP if the global install is for a well-known CLI tool (e.g., typescript, eslint) in setup documentation, though the supply chain risk remains real.