SLSA Build Track
- Version: 1.0
- URL: https://slsa.dev/spec/v1.0/
- Source of truth:
pipeline_check/core/standards/data/slsa.py
SLSA (Supply-chain Levels for Software Artifacts) is the framework for measuring how trustworthy a build pipeline's outputs are. The checks below evidence the Build track requirements (L1 -> L3), which are the slice this scanner can reason about from pipeline configuration alone.
Use this page when you need to defend "we ship SLSA L2" / "we're working toward L3" with concrete control evidence rather than narrative. Pair with OpenSSF Scorecard for project-health context and SCM posture for the source-control side of the chain.
At a glance
- Controls in this standard: 7
- Controls evidenced by at least one check: 6 / 7
- Distinct checks evidencing this standard: 695
- Of those, autofixable with
--fix: 101
Severity levels (CRITICAL / HIGH / MEDIUM / LOW / INFO) follow the same scale across every provider and standard. See How to read severity on the standards overview for the definitions.
Coverage by control
Click a control ID to jump to the per-control section with the full check list. The severity mix column shows the spread of evidencing checks by severity (Critical / High / Medium / Low / Info).
| Control | Title | Checks | Severity mix |
|---|---|---|---|
Build.L1.Scripted |
Build L1: Build process is fully defined and automated (scripted build) | 0 | — |
Build.L1.Provenance |
Build L1: Provenance describing how the artifact was produced is generated | 46 | 5H · 31M · 10L |
Build.L2.Hosted |
Build L2: Builds run on a hosted build platform (not a developer workstation) | 9 | 3H · 6M |
Build.L2.Signed |
Build L2: Provenance is authenticated and cannot be forged by tenants | 46 | 9H · 34M · 3L |
Build.L3.Isolated |
Build L3: Build runs in an isolated environment not influenced by other builds | 220 | 30C · 144H · 41M · 5L |
Build.L3.Ephemeral |
Build L3: Build environment is ephemeral and provisioned fresh for each run | 23 | 3H · 14M · 6L |
Build.L3.NonFalsifiable |
Build L3: Provenance cannot be falsified by the build's own tenant | 425 | 50C · 220H · 139M · 15L · 1I |
Filter at runtime
Restrict a scan to checks that evidence this standard with --standard slsa:
# All providers, only checks tied to this standard
pipeline_check --standard slsa
# Compose with --pipeline to scope by provider
pipeline_check --pipeline github --standard slsa
# Compose with another standard to widen the lens
pipeline_check --pipeline aws --standard slsa --standard owasp_cicd_top_10
Controls in scope
Build.L1.Scripted: Build L1: Build process is fully defined and automated (scripted build)
The build is fully scripted, no manual steps that produce artifacts. Required to make any further provenance claim meaningful.
No checks in this scanner currently evidence this control. Open an issue if your team would value coverage.
Build.L1.Provenance: Build L1: Provenance describing how the artifact was produced is generated
The build emits a signed statement describing how the artifact was produced (builder, source, parameters).
Evidenced by 46 checks across 16 providers (AWS, Argo Workflows, Azure DevOps, Bitbucket, Buildkite, CircleCI, Cloud Build, Dockerfile, Drone CI, GitHub Actions, GitLab CI, Harness CI/CD, Helm, Jenkins, OCI manifest, Tekton).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ADO-007 |
SBOM not produced | MEDIUM | Azure DevOps | |
ADO-024 |
No SLSA provenance attestation produced | MEDIUM | Azure DevOps | |
ARGO-010 |
No SBOM generated for build artifacts | MEDIUM | Argo Workflows | |
ARGO-011 |
No SLSA provenance attestation produced | MEDIUM | Argo Workflows | |
ATTEST-002 |
SLSA provenance source-repo claim is missing or unverifiable | HIGH | OCI manifest | |
ATTEST-003 |
SBOM contains floating-version dependencies | MEDIUM | OCI manifest | |
ATTEST-004 |
SLSA provenance ships without a resolved-dependencies set | MEDIUM | OCI manifest | |
ATTEST-006 |
SLSA provenance lacks a meaningful buildType | MEDIUM | OCI manifest | |
ATTEST-007 |
SBOM packages lack supplier / originator attribution | LOW | OCI manifest | |
BB-007 |
SBOM not produced | MEDIUM | Bitbucket | |
BB-024 |
No SLSA provenance attestation produced | MEDIUM | Bitbucket | |
BK-010 |
No SBOM generated for build artifacts | MEDIUM | Buildkite | |
BK-011 |
No SLSA provenance attestation produced | MEDIUM | Buildkite | |
CC-007 |
SBOM not produced (no CycloneDX/syft/Trivy-SBOM step) | MEDIUM | CircleCI | |
CC-024 |
No SLSA provenance attestation produced | MEDIUM | CircleCI | |
CP-002 |
Artifact store not encrypted with customer-managed KMS key | MEDIUM | AWS | |
DF-016 |
Image lacks OCI provenance labels | LOW | Dockerfile | |
DR-020 |
No SBOM produced (no syft / cyclonedx step) | MEDIUM | Drone CI | |
GCB-015 |
SBOM not produced (no CycloneDX / syft / Trivy-SBOM step) | MEDIUM | Cloud Build | |
GCB-017 |
Image-producing build does not request SLSA provenance | MEDIUM | Cloud Build | |
GCB-024 |
Build pushes Docker images but top-level images: is empty | LOW | Cloud Build | |
GHA-007 |
SBOM not produced (no CycloneDX/syft/Trivy-SBOM step) | MEDIUM | GitHub Actions | |
GHA-024 |
No SLSA provenance attestation produced | MEDIUM | GitHub Actions | |
GL-007 |
SBOM not produced | MEDIUM | GitLab CI | |
GL-024 |
No SLSA provenance attestation produced | MEDIUM | GitLab CI | |
HARNESS-016 |
No SBOM produced (no syft / cyclonedx step) | MEDIUM | Harness CI/CD | |
HELM-001 |
Chart.yaml declares legacy apiVersion: v1 | MEDIUM | Helm | 🔧 fix |
HELM-002 |
Chart.lock missing per-dependency digests | HIGH | Helm | 🔧 fix |
HELM-005 |
Chart maintainers field empty or missing chain-of-custody info | LOW | Helm | |
HELM-006 |
Chart.yaml does not declare a kubeVersion compatibility range | LOW | Helm | |
HELM-007 |
Chart.yaml description field is empty or missing | LOW | Helm | |
HELM-010 |
Chart.yaml appVersion field is empty or missing | LOW | Helm | |
HELM-011 |
Chart dependency repository URL embeds plaintext credentials | HIGH | Helm | |
HELM-012 |
Chart marked deprecated without naming a successor | MEDIUM | Helm | |
HELM-013 |
Chart.yaml type field missing or invalid | MEDIUM | Helm | |
HELM-014 |
Chart dependency matches a known-compromised chart registry | HIGH | Helm | |
JF-007 |
SBOM not produced | MEDIUM | Jenkins | |
JF-027 |
archiveArtifacts does not record a fingerprint |
LOW | Jenkins | |
JF-028 |
No SLSA provenance attestation produced | MEDIUM | Jenkins | |
OCI-001 |
Image manifest is missing OCI provenance annotations | MEDIUM | OCI manifest | |
OCI-002 |
Image is missing a build attestation manifest | HIGH | OCI manifest | |
OCI-003 |
Image manifest is missing the image.created annotation |
LOW | OCI manifest | |
OCI-005 |
Image manifest is missing the image.licenses annotation |
LOW | OCI manifest | |
OCI-009 |
Image manifest is missing OCI base-image annotations | MEDIUM | OCI manifest | |
TKN-010 |
No SBOM generated for build artifacts | MEDIUM | Tekton | |
TKN-011 |
No SLSA provenance attestation produced | MEDIUM | Tekton |
Build.L2.Hosted: Build L2: Builds run on a hosted build platform (not a developer workstation)
Builds run on a managed build platform, not a developer workstation, so build identity and configuration are platform-controlled rather than user-controlled.
Evidenced by 9 checks across 8 providers (Azure DevOps, Bitbucket, CircleCI, GitHub Actions, GitLab CI, Jenkins, OCI manifest, SCM org governance).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ADO-013 |
Self-hosted pool without explicit ephemeral marker | MEDIUM | Azure DevOps | |
ATTEST-001 |
SLSA provenance attests an untrusted builder identity | HIGH | OCI manifest | |
BB-016 |
Self-hosted runner without ephemeral marker | MEDIUM | Bitbucket | |
CC-010 |
Self-hosted runner without ephemeral marker | MEDIUM | CircleCI | |
GHA-012 |
Self-hosted runner without ephemeral marker | MEDIUM | GitHub Actions | |
GHA-105 |
Self-hosted runner reachable from an untrusted PR trigger | HIGH | GitHub Actions | |
GL-014 |
Self-managed runner without ephemeral tag | MEDIUM | GitLab CI | |
JF-014 |
Agent label missing ephemeral marker | MEDIUM | Jenkins | |
ORG-009 |
Organization self-hosted runner group is available to public repositories | HIGH | SCM org governance |
Build.L2.Signed: Build L2: Provenance is authenticated and cannot be forged by tenants
Provenance is cryptographically signed by the build platform; tenants of the platform cannot forge it.
Evidenced by 46 checks across 19 providers (AWS, Argo Workflows, Azure Cloud, Azure DevOps, Bitbucket, Buildkite, CircleCI, Cloud Build, Dockerfile, Drone CI, GCP, GitHub Actions, GitLab CI, Harness CI/CD, Jenkins, OCI manifest, SCM, Tekton, npm).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ACR-003 |
Container registry content trust not enabled | MEDIUM | Azure Cloud | |
ADO-006 |
Artifacts not signed | MEDIUM | Azure DevOps | |
ADO-024 |
No SLSA provenance attestation produced | MEDIUM | Azure DevOps | |
ARGO-009 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | Argo Workflows | |
ARGO-011 |
No SLSA provenance attestation produced | MEDIUM | Argo Workflows | |
ATTEST-005 |
In-toto Statement subject is missing or unpinned | HIGH | OCI manifest | |
AZSQL-001 |
SQL Server TDE does not use a customer-managed key | MEDIUM | Azure Cloud | |
AZST-003 |
Storage account not encrypted with customer-managed key | MEDIUM | Azure Cloud | |
AZVM-001 |
Virtual machine disks are not encrypted | HIGH | Azure Cloud | |
BB-006 |
Artifacts not signed | MEDIUM | Bitbucket | |
BB-024 |
No SLSA provenance attestation produced | MEDIUM | Bitbucket | |
BK-009 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | Buildkite | |
BK-011 |
No SLSA provenance attestation produced | MEDIUM | Buildkite | |
CA-001 |
CodeArtifact domain has no KMS encryptionKey configured | MEDIUM | AWS | |
CC-006 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | CircleCI | |
CC-024 |
No SLSA provenance attestation produced | MEDIUM | CircleCI | |
CP-002 |
Artifact store not encrypted with customer-managed KMS key | MEDIUM | AWS | |
DF-016 |
Image lacks OCI provenance labels | LOW | Dockerfile | |
DR-019 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | Drone CI | |
ECR-002 |
Image tags are mutable | HIGH | AWS | |
ECR-005 |
Repository encrypted with AES256 rather than KMS CMK | MEDIUM | AWS | |
GCB-009 |
Artifacts not signed (no cosign / sigstore step) | MEDIUM | Cloud Build | |
GCB-017 |
Image-producing build does not request SLSA provenance | MEDIUM | Cloud Build | |
GCKMS-003 |
KMS key not using HSM protection level | LOW | GCP | |
GCKMS-006 |
KMS key uses imported (external) key material | LOW | GCP | |
GCS-004 |
Cloud Storage bucket not encrypted with CMEK | MEDIUM | GCP | |
GHA-006 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | GitHub Actions | |
GHA-024 |
No SLSA provenance attestation produced | MEDIUM | GitHub Actions | |
GHA-050 |
Publish step relies on long-lived registry token | HIGH | GitHub Actions | |
GL-006 |
Artifacts not signed | MEDIUM | GitLab CI | |
GL-024 |
No SLSA provenance attestation produced | MEDIUM | GitLab CI | |
GL-050 |
Package-publish job relies on a long-lived registry token | HIGH | GitLab CI | |
HARNESS-015 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | Harness CI/CD | |
JF-006 |
Artifacts not signed | MEDIUM | Jenkins | |
JF-028 |
No SLSA provenance attestation produced | MEDIUM | Jenkins | |
LMB-001 |
Lambda function has no code-signing config | HIGH | AWS | |
NPM-012 |
.npmrc publish token lacks IP or readonly restriction | HIGH | npm | |
OCI-002 |
Image is missing a build attestation manifest | HIGH | OCI manifest | |
SCM-006 |
Default branch protection does not require signed commits | MEDIUM | SCM | |
SCM-036 |
Active ruleset doesn't require signed commits | MEDIUM | SCM | |
SCM-043 |
Tag-targeted ruleset doesn't require signed commits | MEDIUM | SCM | |
SCM-044 |
Default-branch signed-commits requirement bypassed for admins | MEDIUM | SCM | |
SIGN-001 |
No AWS Signer profile defined for Lambda deploys | MEDIUM | AWS | |
SIGN-002 |
AWS Signer profile is revoked or inactive | HIGH | AWS | |
TKN-009 |
Artifacts not signed (no cosign/sigstore step) | MEDIUM | Tekton | |
TKN-011 |
No SLSA provenance attestation produced | MEDIUM | Tekton |
Build.L3.Isolated: Build L3: Build runs in an isolated environment not influenced by other builds
Each build runs in a fresh environment without influence from concurrent or previous builds. No shared mutable state.
Evidenced by 220 checks across 22 providers (AWS, Argo Workflows, Azure Cloud, Azure DevOps, Bitbucket, Buildkite, CircleCI, Cloud Build, CloudFormation, Dockerfile, Drone CI, GCP, GitHub Actions, GitLab CI, Harness CI/CD, Helm, Jenkins, OCI manifest, SCM, Tekton, Terraform, npm).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ADO-002 |
Script injection via attacker-controllable context | HIGH | Azure DevOps | |
ADO-010 |
Cross-pipeline download: ingestion unverified |
CRITICAL | Azure DevOps | |
ADO-011 |
template: <local-path> on PR-validated pipeline |
HIGH | Azure DevOps | |
ADO-012 |
Cache@2 key derives from $(System.PullRequest.*) | MEDIUM | Azure DevOps | |
ADO-016 |
Remote script piped to shell interpreter | HIGH | Azure DevOps | 🔧 fix |
ADO-017 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | Azure DevOps | 🔧 fix |
ADO-019 |
extends: template on PR-validated pipeline points to local path |
CRITICAL | Azure DevOps | |
ADO-021 |
Package install without lockfile enforcement | MEDIUM | Azure DevOps | 🔧 fix |
ADO-023 |
TLS / certificate verification bypass | HIGH | Azure DevOps | 🔧 fix |
ADO-027 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Azure DevOps | |
ADO-028 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | Azure DevOps | |
ADO-030 |
pool interpolates attacker-controllable value | HIGH | Azure DevOps | 🔧 fix |
ADO-034 |
ML model loaded with trust_remote_code (code execution) | HIGH | Azure DevOps | |
ADO-035 |
Untrusted PR/commit context reaches an agentic AI CLI (prompt injection) | HIGH | Azure DevOps | |
ADO-036 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | Azure DevOps | |
ARGO-002 |
Argo template container runs privileged or as root | HIGH | Argo Workflows | |
ARGO-004 |
Argo workflow mounts hostPath or shares host namespaces | CRITICAL | Argo Workflows | |
ARGO-005 |
Argo input parameter interpolated unsafely in script / args | CRITICAL | Argo Workflows | |
ARGO-008 |
Argo script source pipes remote install or disables TLS | HIGH | Argo Workflows | 🔧 fix |
ARGO-015 |
Input artifact pulls from an insecure (non-HTTPS) URL | HIGH | Argo Workflows | |
ARGO-017 |
Argo resource template applies a manifest built from an untrusted parameter | CRITICAL | Argo Workflows | |
ARGO-019 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Argo Workflows | |
ATTEST-001 |
SLSA provenance attests an untrusted builder identity | HIGH | OCI manifest | |
AZAPP-001 |
App Service does not enforce HTTPS | HIGH | Azure Cloud | |
AZAPP-002 |
App Service minimum TLS version below 1.2 | HIGH | Azure Cloud | |
AZAPP-004 |
App Service has remote debugging enabled | HIGH | Azure Cloud | |
AZAPP-005 |
App Service FTP access not disabled | MEDIUM | Azure Cloud | |
AZNW-001 |
NSG allows inbound SSH or RDP from the internet | CRITICAL | Azure Cloud | |
AZNW-003 |
Application Gateway does not have WAF enabled | HIGH | Azure Cloud | |
AZNW-004 |
NSG has no explicit deny-all inbound rule | MEDIUM | Azure Cloud | |
AZNW-005 |
Public IP address associated with a VM NIC | HIGH | Azure Cloud | |
AZSQL-003 |
SQL Server allows public network access | HIGH | Azure Cloud | |
AZST-002 |
Storage account allows non-HTTPS traffic | HIGH | Azure Cloud | |
AZST-004 |
Storage account minimum TLS version below 1.2 | HIGH | Azure Cloud | |
AZVM-002 |
Virtual machine has a public IP address | HIGH | Azure Cloud | |
AZVM-003 |
Virtual machine does not have JIT network access | MEDIUM | Azure Cloud | |
BB-002 |
Script injection via attacker-controllable context | HIGH | Bitbucket | |
BB-010 |
Deploy step ingests pull-request artifact unverified | CRITICAL | Bitbucket | |
BB-012 |
Remote script piped to shell interpreter | HIGH | Bitbucket | 🔧 fix |
BB-013 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | Bitbucket | 🔧 fix |
BB-018 |
Cache key derives from attacker-controllable input | MEDIUM | Bitbucket | |
BB-021 |
Package install without lockfile enforcement | MEDIUM | Bitbucket | 🔧 fix |
BB-023 |
TLS / certificate verification bypass | HIGH | Bitbucket | 🔧 fix |
BB-026 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Bitbucket | |
BB-027 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | Bitbucket | |
BB-035 |
ML model loaded with trust_remote_code (code execution) | HIGH | Bitbucket | |
BB-036 |
Untrusted PR/branch context reaches an agentic AI CLI (prompt injection) | HIGH | Bitbucket | |
BB-037 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | Bitbucket | |
BK-003 |
Untrusted Buildkite variable interpolated in command | HIGH | Buildkite | |
BK-004 |
Remote script piped into shell interpreter | HIGH | Buildkite | 🔧 fix |
BK-005 |
Container started with --privileged or host-bind escalation | HIGH | Buildkite | 🔧 fix |
BK-008 |
TLS verification disabled in step command | MEDIUM | Buildkite | 🔧 fix |
BK-015 |
agents map interpolates attacker-controllable Buildkite variable | HIGH | Buildkite | |
BK-016 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Buildkite | |
CB-002 |
Privileged mode enabled | HIGH | AWS | |
CB-007 |
CodeBuild webhook has no filter group | MEDIUM | AWS | |
CB-010 |
CodeBuild webhook allows fork-PR builds without actor filtering | HIGH | AWS | |
CC-002 |
Script injection via untrusted environment variable | HIGH | CircleCI | |
CC-012 |
Dynamic config via setup: true enables code injection |
MEDIUM | CircleCI | |
CC-013 |
Deploy job in workflow has no branch filter | MEDIUM | CircleCI | |
CC-014 |
Job missing resource_class declaration |
MEDIUM | CircleCI | |
CC-016 |
Remote script piped to shell interpreter | HIGH | CircleCI | 🔧 fix |
CC-017 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | CircleCI | 🔧 fix |
CC-021 |
Package install without lockfile enforcement | MEDIUM | CircleCI | 🔧 fix |
CC-023 |
TLS / certificate verification bypass | HIGH | CircleCI | 🔧 fix |
CC-025 |
Cache key derives from attacker-controllable input | MEDIUM | CircleCI | |
CC-027 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | CircleCI | |
CC-028 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | CircleCI | |
CC-034 |
ML model loaded with trust_remote_code (code execution) | HIGH | CircleCI | |
CC-036 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | CircleCI | |
CC-037 |
Untrusted PR/build context reaches an agentic AI CLI (prompt injection) | HIGH | CircleCI | |
CF-003 |
CodeBuild project's VPC contains a public subnet | HIGH | CloudFormation | |
CP-007 |
CodePipeline v2 PR trigger accepts all branches | HIGH | AWS | |
DF-004 |
RUN executes a remote script via curl-pipe / wget-pipe | HIGH | Dockerfile | |
DF-005 |
RUN uses shell-eval (eval / sh -c on a variable / backticks) | HIGH | Dockerfile | |
DF-008 |
RUN invokes docker --privileged or escalates capabilities | HIGH | Dockerfile | |
DF-012 |
RUN invokes sudo | HIGH | Dockerfile | |
DF-021 |
RUN pip install bypasses TLS or uses an HTTP index | HIGH | Dockerfile | |
DF-023 |
ENV sets a dynamic-loader hijack variable | HIGH | Dockerfile | |
DF-024 |
RUN npm/yarn/pnpm install runs lifecycle scripts | HIGH | Dockerfile | |
DF-026 |
ENV disables Node.js TLS certificate verification | HIGH | Dockerfile | |
DF-027 |
ENV disables Python HTTPS certificate verification | HIGH | Dockerfile | |
DF-028 |
ENV disables Git TLS certificate verification | HIGH | Dockerfile | |
DF-029 |
ENV neuters Python requests CA bundle | HIGH | Dockerfile | |
DF-030 |
ENV NODE_OPTIONS preloads code or opens an inspector | MEDIUM | Dockerfile | |
DR-002 |
Step runs with privileged: true | HIGH | Drone CI | |
DR-003 |
Untrusted Drone template variable in shell command | HIGH | Drone CI | |
DR-006 |
TLS verification disabled in step commands | HIGH | Drone CI | 🔧 fix |
DR-007 |
Step mounts a sensitive host path | HIGH | Drone CI | |
DR-009 |
Cache plugin key embeds an attacker-controllable Drone variable | HIGH | Drone CI | |
DR-011 |
node map interpolates attacker-controllable Drone variable | HIGH | Drone CI | |
DR-016 |
Step image: field carries a Drone template substitution | HIGH | Drone CI | |
DR-017 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Drone CI | |
GCB-006 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Cloud Build | |
GCB-010 |
Remote script piped to shell interpreter | HIGH | Cloud Build | |
GCB-011 |
TLS / certificate verification bypass | HIGH | Cloud Build | 🔧 fix |
GCB-016 |
Step dir field contains parent-directory escape (..) | MEDIUM | Cloud Build | |
GCB-019 |
Shell entrypoint inlines a user substitution into args | HIGH | Cloud Build | |
GCB-021 |
No private worker pool, build runs on the shared default pool | MEDIUM | Cloud Build | 🔧 fix |
GCB-022 |
options.substitutionOption set to ALLOW_LOOSE | LOW | Cloud Build | 🔧 fix |
GCB-023 |
Step references a user substitution not declared in substitutions: | MEDIUM | Cloud Build | |
GCCE-003 |
Compute instance has serial port access enabled | MEDIUM | GCP | |
GCCE-004 |
Compute instance has an external IP address | HIGH | GCP | |
GCCE-005 |
Instance does not block project-wide SSH keys | MEDIUM | GCP | |
GCNET-001 |
Default VPC network exists in project | MEDIUM | GCP | |
GCNET-002 |
No default-deny ingress firewall rule configured | MEDIUM | GCP | |
GCNET-003 |
Firewall allows SSH or RDP from the internet | CRITICAL | GCP | |
GCNET-004 |
Subnet does not have Private Google Access enabled | MEDIUM | GCP | |
GCNET-005 |
No Cloud NAT gateway configured | LOW | GCP | |
GCRUN-001 |
Cloud Run service allows unauthenticated access | HIGH | GCP | |
GCRUN-004 |
Cloud Run service does not use a VPC connector | MEDIUM | GCP | |
GCSQL-001 |
Cloud SQL instance has a public IP address | HIGH | GCP | |
GCSQL-003 |
Cloud SQL instance does not require SSL connections | HIGH | GCP | |
GHA-002 |
pull_request_target checks out PR head | CRITICAL | GitHub Actions | 🔧 fix |
GHA-003 |
Script injection via untrusted context | HIGH | GitHub Actions | 🔧 fix |
GHA-009 |
workflow_run downloads upstream artifact unverified | CRITICAL | GitHub Actions | |
GHA-010 |
Local action (./path) on untrusted-trigger workflow | HIGH | GitHub Actions | |
GHA-011 |
Cache key derives from attacker-controllable input | MEDIUM | GitHub Actions | |
GHA-013 |
issue_comment trigger without author guard | HIGH | GitHub Actions | |
GHA-016 |
Remote script piped to shell interpreter | HIGH | GitHub Actions | 🔧 fix |
GHA-017 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | GitHub Actions | 🔧 fix |
GHA-021 |
Package install without lockfile enforcement | MEDIUM | GitHub Actions | 🔧 fix |
GHA-022 |
Dependency update command bypasses lockfile pins | MEDIUM | GitHub Actions | 🔧 fix |
GHA-023 |
TLS / certificate verification bypass | HIGH | GitHub Actions | 🔧 fix |
GHA-026 |
Container job disables isolation via options: |
HIGH | GitHub Actions | |
GHA-027 |
Workflow contains indicators of malicious activity | CRITICAL | GitHub Actions | |
GHA-028 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | GitHub Actions | |
GHA-029 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | GitHub Actions | |
GHA-031 |
Workflow uses retired set-output / save-state command | HIGH | GitHub Actions | 🔧 fix |
GHA-032 |
run: invokes local script on untrusted-trigger workflow | CRITICAL | GitHub Actions | |
GHA-035 |
github-script step interpolates untrusted context | HIGH | GitHub Actions | |
GHA-036 |
runs-on interpolates untrusted context | HIGH | GitHub Actions | 🔧 fix |
GHA-038 |
Workflow re-enables retired ::set-env / ::add-path commands | CRITICAL | GitHub Actions | |
GHA-044 |
Build tool runs lifecycle scripts on untrusted-trigger workflow | HIGH | GitHub Actions | |
GHA-045 |
Caller-controlled ref input feeds actions/checkout | HIGH | GitHub Actions | |
GHA-046 |
Manual PR-head fetch on untrusted-trigger workflow | CRITICAL | GitHub Actions | |
GHA-048 |
Workflow step writes a file under .github/workflows/ | CRITICAL | GitHub Actions | |
GHA-052 |
actions/cache key includes untrusted PR-controllable input | HIGH | GitHub Actions | |
GHA-053 |
if: predicate evaluates attacker-controllable context as expression | HIGH | GitHub Actions | |
GHA-057 |
Secret-scanner output sent to network egress | CRITICAL | GitHub Actions | |
GHA-058 |
Agentic CLI invoked with permission-bypass flags | HIGH | GitHub Actions | |
GHA-092 |
PR head SHA captured then re-fetched (force-push race) | HIGH | GitHub Actions | |
GHA-093 |
Living-off-the-Pipeline indicators (workflow-command abuse) | HIGH | GitHub Actions | |
GHA-097 |
Recursive PR auto-merge loop | HIGH | GitHub Actions | |
GHA-102 |
actions/checkout with submodule fetch on a PR trigger |
HIGH | GitHub Actions | |
GHA-103 |
AI code-review bot on untrusted trigger without environment gate | CRITICAL | GitHub Actions | |
GHA-104 |
AI agent generates and pushes commits without PR review | HIGH | GitHub Actions | |
GHA-107 |
harden-runner runs in audit mode (egress not blocked) | MEDIUM | GitHub Actions | |
GHA-108 |
Sensitive workflow has no runtime egress control | LOW | GitHub Actions | |
GHA-109 |
harden-runner is not the first step in the job | LOW | GitHub Actions | |
GHA-117 |
IaC apply on an untrusted pull_request trigger | CRITICAL | GitHub Actions | |
GHA-118 |
Untrusted content written to $GITHUB_ENV / $GITHUB_PATH | HIGH | GitHub Actions | |
GHA-119 |
Untrusted context reaches an agentic AI CLI (prompt injection) | HIGH | GitHub Actions | |
GHA-120 |
ML model loaded with trust_remote_code (code execution) | HIGH | GitHub Actions | |
GHA-122 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | GitHub Actions | |
GL-002 |
Script injection via untrusted commit/MR context | HIGH | GitLab CI | |
GL-010 |
Multi-project pipeline ingests upstream artifact unverified | CRITICAL | GitLab CI | |
GL-011 |
include: local file pulled in MR-triggered pipeline | HIGH | GitLab CI | |
GL-012 |
Cache key derives from MR-controlled CI variable | MEDIUM | GitLab CI | |
GL-016 |
Remote script piped to shell interpreter | HIGH | GitLab CI | 🔧 fix |
GL-017 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | GitLab CI | 🔧 fix |
GL-021 |
Package install without lockfile enforcement | MEDIUM | GitLab CI | 🔧 fix |
GL-023 |
TLS / certificate verification bypass | HIGH | GitLab CI | 🔧 fix |
GL-026 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | GitLab CI | |
GL-027 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | GitLab CI | |
GL-032 |
tags: interpolates untrusted CI variable | HIGH | GitLab CI | 🔧 fix |
GL-033 |
Global before_script / after_script propagates taint to every job | HIGH | GitLab CI | |
GL-039 |
Docker-in-Docker service exposes an unauthenticated daemon | HIGH | GitLab CI | |
GL-041 |
IaC apply on an untrusted merge-request trigger | CRITICAL | GitLab CI | |
GL-045 |
ML model loaded with trust_remote_code (code execution) | HIGH | GitLab CI | |
GL-047 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | GitLab CI | |
GL-048 |
Untrusted MR/commit context reaches an agentic AI CLI (prompt injection) | HIGH | GitLab CI | |
HARNESS-002 |
Untrusted Harness expression interpolated into a step command | HIGH | Harness CI/CD | |
HARNESS-003 |
Step runs with privileged: true | HIGH | Harness CI/CD | |
HARNESS-006 |
TLS verification disabled in step commands | HIGH | Harness CI/CD | 🔧 fix |
HARNESS-007 |
Stage infrastructure mounts a sensitive host path | HIGH | Harness CI/CD | |
HARNESS-008 |
Untrusted context reaches an agentic AI CLI (prompt injection) | HIGH | Harness CI/CD | |
HARNESS-010 |
ML model loaded with trust_remote_code (code execution) | HIGH | Harness CI/CD | |
HARNESS-011 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | Harness CI/CD | |
HARNESS-014 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Harness CI/CD | |
HELM-003 |
Chart dependency declared on a non-HTTPS repository | HIGH | Helm | 🔧 fix |
HELM-009 |
Chart home / sources URL uses a non-HTTPS scheme | LOW | Helm | |
JF-002 |
Script step interpolates attacker-controllable env var | HIGH | Jenkins | |
JF-003 |
Pipeline uses agent any (no executor isolation) |
MEDIUM | Jenkins | |
JF-012 |
load step pulls Groovy from disk without integrity pin |
MEDIUM | Jenkins | |
JF-013 |
copyArtifacts ingests another job's output unverified | CRITICAL | Jenkins | |
JF-016 |
Remote script piped to shell interpreter | HIGH | Jenkins | 🔧 fix |
JF-017 |
Docker run with insecure flags (privileged/host mount) | CRITICAL | Jenkins | 🔧 fix |
JF-019 |
Groovy sandbox escape pattern detected | CRITICAL | Jenkins | |
JF-021 |
Package install without lockfile enforcement | MEDIUM | Jenkins | 🔧 fix |
JF-023 |
TLS / certificate verification bypass | HIGH | Jenkins | 🔧 fix |
JF-025 |
Kubernetes agent pod template runs privileged or mounts hostPath | HIGH | Jenkins | |
JF-030 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Jenkins | |
JF-031 |
Package install bypasses registry integrity (git / path / tarball source) | MEDIUM | Jenkins | |
JF-032 |
Agent label interpolates attacker-controllable value | HIGH | Jenkins | 🔧 fix |
JF-035 |
httpRequest step disables SSL verification | HIGH | Jenkins | |
JF-037 |
Untrusted PR/build context reaches an agentic AI CLI (prompt injection) | HIGH | Jenkins | |
JF-039 |
ML model loaded with trust_remote_code (code execution) | HIGH | Jenkins | |
JF-041 |
Unsafe deserialization of a fetched artifact (pickle RCE) | HIGH | Jenkins | |
NPM-004 |
package.json declares an install-time lifecycle script | HIGH | npm | |
NPM-007 |
.npmrc does not disable install-time lifecycle scripts | HIGH | npm | |
PBAC-001 |
CodeBuild project has no VPC configuration | HIGH | AWS | |
PBAC-002 |
CodeBuild service role shared across multiple projects | MEDIUM | AWS | |
SCM-022 |
Repo Actions permissions allow any source (no allow-list) | MEDIUM | SCM | |
TAINT-001 |
Untrusted input flows across step boundaries via step outputs | HIGH | GitHub Actions | |
TAINT-002 |
Untrusted input flows across jobs via jobs.<id>.outputs: |
HIGH | GitHub Actions | |
TAINT-003 |
Untrusted input forwarded into reusable workflow with: |
HIGH | GitHub Actions | |
TAINT-004 |
Untrusted input flows across jobs via dotenv artifact | HIGH | GitLab CI | |
TAINT-005 |
Untrusted input flows across steps via buildkite-agent meta-data |
HIGH | Buildkite | |
TAINT-006 |
Untrusted input flows across tasks via Tekton results |
HIGH | Tekton | |
TAINT-007 |
Untrusted input flows across templates via Argo outputs.parameters |
HIGH | Argo Workflows | |
TAINT-008 |
Untrusted input flows via GitLab extends: template inheritance |
HIGH | GitLab CI | |
TF-003 |
CodeBuild VPC config references a public subnet | HIGH | Terraform | |
TKN-002 |
Tekton step runs privileged or as root | HIGH | Tekton | |
TKN-003 |
Tekton param interpolated unsafely in step script | CRITICAL | Tekton | |
TKN-004 |
Tekton Task mounts hostPath or shares host namespaces | CRITICAL | Tekton | |
TKN-008 |
Tekton step script pipes remote install or disables TLS | HIGH | Tekton | 🔧 fix |
TKN-013 |
Tekton sidecar runs privileged or as root | HIGH | Tekton | |
TKN-015 |
Workspace subPath interpolates a Task parameter (path traversal) | HIGH | Tekton | |
TKN-018 |
Dangerous shell idiom (eval, sh -c variable, backtick exec) | HIGH | Tekton |
Build.L3.Ephemeral: Build L3: Build environment is ephemeral and provisioned fresh for each run
Build environments are provisioned per run and torn down after, so a compromised build cannot persist into the next.
Evidenced by 23 checks across 13 providers (AWS, Argo Workflows, Azure DevOps, Bitbucket, Buildkite, CircleCI, Cloud Build, GitHub Actions, GitLab CI, Harness CI/CD, Jenkins, SCM org governance, Tekton).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ADO-013 |
Self-hosted pool without explicit ephemeral marker | MEDIUM | Azure DevOps | |
ADO-015 |
Job has no timeoutInMinutes, unbounded build |
MEDIUM | Azure DevOps | 🔧 fix |
ARGO-007 |
Argo workflow has no activeDeadlineSeconds | LOW | Argo Workflows | |
BB-005 |
Step has no max-time, unbounded build |
MEDIUM | Bitbucket | 🔧 fix |
BB-016 |
Self-hosted runner without ephemeral marker | MEDIUM | Bitbucket | |
BK-006 |
Step has no timeout_in_minutes | LOW | Buildkite | |
CB-004 |
Build timeout missing or at the AWS maximum (480 min) | LOW | AWS | |
CB-007 |
CodeBuild webhook has no filter group | MEDIUM | AWS | |
CC-010 |
Self-hosted runner without ephemeral marker | MEDIUM | CircleCI | |
CC-015 |
No no_output_timeout configured |
MEDIUM | CircleCI | 🔧 fix |
GCB-005 |
Build timeout unset or excessive | LOW | Cloud Build | 🔧 fix |
GCB-021 |
No private worker pool, build runs on the shared default pool | MEDIUM | Cloud Build | 🔧 fix |
GHA-012 |
Self-hosted runner without ephemeral marker | MEDIUM | GitHub Actions | |
GHA-015 |
Job has no timeout-minutes, unbounded build |
MEDIUM | GitHub Actions | 🔧 fix |
GHA-105 |
Self-hosted runner reachable from an untrusted PR trigger | HIGH | GitHub Actions | |
GHA-112 |
Self-hosted deploy job not gated by a protected environment | HIGH | GitHub Actions | |
GL-014 |
Self-managed runner without ephemeral tag | MEDIUM | GitLab CI | |
GL-015 |
Job has no timeout, unbounded build |
MEDIUM | GitLab CI | 🔧 fix |
HARNESS-019 |
Pipeline step lacks an explicit timeout | LOW | Harness CI/CD | |
JF-014 |
Agent label missing ephemeral marker | MEDIUM | Jenkins | |
JF-015 |
Pipeline has no timeout wrapper, unbounded build |
MEDIUM | Jenkins | 🔧 fix |
ORG-009 |
Organization self-hosted runner group is available to public repositories | HIGH | SCM org governance | |
TKN-006 |
Tekton run lacks an explicit timeout | LOW | Tekton |
Build.L3.NonFalsifiable: Build L3: Provenance cannot be falsified by the build's own tenant
The build platform's provenance signature is bound to inputs the tenant cannot influence (e.g. a backend-controlled identity), so a tenant-controlled compromise cannot mint forged provenance.
Evidenced by 425 checks across 30 providers (AWS, Argo Workflows, Azure Cloud, Azure DevOps, Bitbucket, Buildkite, CircleCI, Cloud Build, CloudFormation, Composer, Developer environment, Dockerfile, Drone CI, GCP, GitHub Actions, GitLab CI, Harness CI/CD, Helm, Jenkins, Modelfile, NuGet, OCI manifest, PyPI, RubyGems, SCM, SCM org governance, Tekton, Terraform, maven, npm).
| Check | Title | Severity | Provider | Fix |
|---|---|---|---|---|
ACR-001 |
Container registry admin user enabled | HIGH | Azure Cloud | |
ACR-002 |
Container registry allows public network access | HIGH | Azure Cloud | |
ACR-004 |
Container registry Defender scanning not enabled | HIGH | Azure Cloud | |
ACR-005 |
Container registry tag immutability (verify per-repository locking) | INFO | Azure Cloud | |
ADO-001 |
Task reference not pinned to specific version | HIGH | Azure DevOps | 🔧 fix |
ADO-003 |
Variables contain literal secret values | CRITICAL | Azure DevOps | |
ADO-004 |
Deployment job missing environment binding | MEDIUM | Azure DevOps | |
ADO-005 |
Container image not pinned to specific version | HIGH | Azure DevOps | |
ADO-008 |
Credential-shaped literal in pipeline body | CRITICAL | Azure DevOps | 🔧 fix |
ADO-009 |
Container image pinned by tag rather than sha256 digest | LOW | Azure DevOps | |
ADO-014 |
AWS auth uses long-lived access keys | MEDIUM | Azure DevOps | 🔧 fix |
ADO-018 |
Package install from insecure source | HIGH | Azure DevOps | 🔧 fix |
ADO-022 |
Dependency update command bypasses lockfile pins | MEDIUM | Azure DevOps | 🔧 fix |
ADO-024 |
No SLSA provenance attestation produced | MEDIUM | Azure DevOps | |
ADO-025 |
Cross-repo template not pinned to commit SHA | HIGH | Azure DevOps | |
ADO-026 |
Pipeline contains indicators of malicious activity | CRITICAL | Azure DevOps | |
ADO-029 |
Service-connection-using job without environment or branch gate | HIGH | Azure DevOps | |
ADO-031 |
Secret variable echoed / printed in a script step | HIGH | Azure DevOps | |
ADO-032 |
checkout persistCredentials leaves the pipeline token in .git/config | HIGH | Azure DevOps | |
ADO-038 |
Agentic CLI output lands without human review | HIGH | Azure DevOps | |
AKV-001 |
Key Vault soft delete not enabled | HIGH | Azure Cloud | |
AKV-002 |
Key Vault purge protection not enabled | HIGH | Azure Cloud | |
AKV-003 |
Key Vault allows access from all networks | MEDIUM | Azure Cloud | |
AKV-004 |
Key Vault key has no expiration date | MEDIUM | Azure Cloud | |
AKV-005 |
Key Vault secret has no expiration date | MEDIUM | Azure Cloud | |
AKV-006 |
Key Vault uses vault access policies instead of RBAC | MEDIUM | Azure Cloud | |
ARGO-001 |
Argo template container image not pinned to a digest | HIGH | Argo Workflows | |
ARGO-003 |
Argo workflow uses the default ServiceAccount | MEDIUM | Argo Workflows | |
ARGO-006 |
Literal secret value in Argo template env or parameter default | CRITICAL | Argo Workflows | 🔧 fix |
ARGO-011 |
No SLSA provenance attestation produced | MEDIUM | Argo Workflows | |
ARGO-013 |
Argo workflow does not opt out of SA token automount | MEDIUM | Argo Workflows | |
ARGO-014 |
Argo template script runs unpinned package install | MEDIUM | Argo Workflows | |
ARGO-015 |
Input artifact pulls from an insecure (non-HTTPS) URL | HIGH | Argo Workflows | |
ARGO-016 |
Workflow bound to a cluster-admin / over-privileged ServiceAccount | CRITICAL | Argo Workflows | |
ARGO-018 |
Secret-named variable echoed / printed in a template script | HIGH | Argo Workflows | |
ATTEST-001 |
SLSA provenance attests an untrusted builder identity | HIGH | OCI manifest | |
ATTEST-002 |
SLSA provenance source-repo claim is missing or unverifiable | HIGH | OCI manifest | |
ATTEST-004 |
SLSA provenance ships without a resolved-dependencies set | MEDIUM | OCI manifest | |
ATTEST-005 |
In-toto Statement subject is missing or unpinned | HIGH | OCI manifest | |
AZAPP-001 |
App Service does not enforce HTTPS | HIGH | Azure Cloud | |
AZAPP-002 |
App Service minimum TLS version below 1.2 | HIGH | Azure Cloud | |
AZAPP-003 |
App Service does not use a managed identity | MEDIUM | Azure Cloud | |
AZMON-001 |
No diagnostic setting for subscription Activity Log | HIGH | Azure Cloud | |
AZMON-002 |
Activity Log retention less than 365 days | MEDIUM | Azure Cloud | |
AZMON-003 |
No alert rule for critical administrative operations | MEDIUM | Azure Cloud | |
AZMON-004 |
Key Vault has no diagnostic settings configured | MEDIUM | Azure Cloud | |
AZMON-005 |
NSG flow log retention less than 90 days | MEDIUM | Azure Cloud | |
AZMON-006 |
Log Analytics workspace retention less than 365 days | MEDIUM | Azure Cloud | |
AZMON-007 |
No service health alert rule configured | LOW | Azure Cloud | |
AZNW-002 |
NSG does not have flow logging enabled | MEDIUM | Azure Cloud | |
AZSQL-002 |
SQL Server auditing not enabled | HIGH | Azure Cloud | |
AZSQL-004 |
SQL Server has no Azure AD administrator configured | MEDIUM | Azure Cloud | |
AZSQL-005 |
SQL Server advanced threat protection not enabled | MEDIUM | Azure Cloud | |
AZST-001 |
Storage account allows public blob access | HIGH | Azure Cloud | |
AZST-002 |
Storage account allows non-HTTPS traffic | HIGH | Azure Cloud | |
AZST-004 |
Storage account minimum TLS version below 1.2 | HIGH | Azure Cloud | |
AZST-005 |
Storage account blob lifecycle policy should be reviewed | LOW | Azure Cloud | |
AZST-006 |
Storage account access keys not rotated within 90 days | HIGH | Azure Cloud | |
AZVM-004 |
Virtual machine automatic OS patching not enabled | MEDIUM | Azure Cloud | |
AZVM-005 |
Virtual machine does not use a managed identity | MEDIUM | Azure Cloud | |
BB-001 |
pipe: action not pinned to exact version | HIGH | Bitbucket | 🔧 fix |
BB-003 |
Variables contain literal secret values | CRITICAL | Bitbucket | |
BB-004 |
Deploy step missing deployment: environment gate |
MEDIUM | Bitbucket | |
BB-008 |
Credential-shaped literal in pipeline body | CRITICAL | Bitbucket | 🔧 fix |
BB-009 |
pipe: pinned by version rather than sha256 digest | LOW | Bitbucket | |
BB-011 |
AWS auth uses long-lived access keys | MEDIUM | Bitbucket | 🔧 fix |
BB-014 |
Package install from insecure source | HIGH | Bitbucket | 🔧 fix |
BB-017 |
Repository token written to persistent storage | CRITICAL | Bitbucket | 🔧 fix |
BB-019 |
after-script references secrets | HIGH | Bitbucket | |
BB-022 |
Dependency update command bypasses lockfile pins | MEDIUM | Bitbucket | 🔧 fix |
BB-024 |
No SLSA provenance attestation produced | MEDIUM | Bitbucket | |
BB-025 |
Pipeline contains indicators of malicious activity | CRITICAL | Bitbucket | |
BB-028 |
OIDC step without deployment-gated environment | HIGH | Bitbucket | |
BB-029 |
image: (step or service) not pinned by sha256 digest | HIGH | Bitbucket | |
BB-030 |
npm install without registry-signature verification step | MEDIUM | Bitbucket | |
BB-031 |
pip install without --require-hashes verification |
MEDIUM | Bitbucket | |
BB-032 |
Secret-named variable echoed / printed in a script block | HIGH | Bitbucket | |
BB-039 |
Agentic CLI output lands without human review | HIGH | Bitbucket | |
BK-001 |
Buildkite plugin not pinned to an exact version | HIGH | Buildkite | |
BK-002 |
Literal secret value in pipeline env block | CRITICAL | Buildkite | 🔧 fix |
BK-007 |
Deploy step not gated by a manual block / input | MEDIUM | Buildkite | |
BK-011 |
No SLSA provenance attestation produced | MEDIUM | Buildkite | |
BK-013 |
Deploy step has no branches: filter | MEDIUM | Buildkite | |
BK-014 |
Step commands run unpinned package installs | MEDIUM | Buildkite | |
BK-017 |
Secret-named variable echoed / printed in a step command | HIGH | Buildkite | |
CB-001 |
Secrets in plaintext environment variables | CRITICAL | AWS | |
CB-005 |
Outdated managed build image | MEDIUM | AWS | |
CB-006 |
CodeBuild source auth uses long-lived token | HIGH | AWS | |
CB-008 |
CodeBuild buildspec is inline (not sourced from a protected repo) | HIGH | AWS | |
CB-009 |
CodeBuild image not pinned by digest | MEDIUM | AWS | |
CB-010 |
CodeBuild webhook allows fork-PR builds without actor filtering | HIGH | AWS | |
CB-011 |
CodeBuild buildspec contains indicators of malicious activity | CRITICAL | AWS | |
CC-001 |
Orb not pinned to exact semver | HIGH | CircleCI | 🔧 fix |
CC-003 |
Docker image not pinned by digest | HIGH | CircleCI | |
CC-004 |
Secret-like environment variable not managed via context | MEDIUM | CircleCI | |
CC-005 |
AWS auth uses long-lived access keys in environment block | MEDIUM | CircleCI | 🔧 fix |
CC-008 |
Credential-shaped literal in config body | CRITICAL | CircleCI | 🔧 fix |
CC-009 |
Deploy job missing manual approval gate | MEDIUM | CircleCI | |
CC-018 |
Package install from insecure source | HIGH | CircleCI | 🔧 fix |
CC-019 |
add_ssh_keys without fingerprint restriction |
HIGH | CircleCI | |
CC-022 |
Dependency update command bypasses lockfile pins | MEDIUM | CircleCI | 🔧 fix |
CC-024 |
No SLSA provenance attestation produced | MEDIUM | CircleCI | |
CC-026 |
Config contains indicators of malicious activity | CRITICAL | CircleCI | |
CC-029 |
Machine executor image not pinned | HIGH | CircleCI | |
CC-030 |
Workflow job uses context without branch filter or approval gate | MEDIUM | CircleCI | |
CC-031 |
OIDC role assumption without branch filter or approval gate | HIGH | CircleCI | |
CC-032 |
Secret-named variable echoed / printed in a run step | HIGH | CircleCI | |
CC-033 |
Job disables Go module checksum / sum-db verification | HIGH | CircleCI | |
CC-038 |
Agentic CLI output lands without human review | HIGH | CircleCI | |
CF-001 |
Template declares AWS::IAM::AccessKey (long-lived credential) | CRITICAL | CloudFormation | |
CF-002 |
Stateful data-store resource carries a plaintext secret | CRITICAL | CloudFormation | |
COMPOSER-001 |
composer.json present without a sibling composer.lock | HIGH | Composer | |
COMPOSER-002 |
composer.json require uses a floating version constraint | MEDIUM | Composer | |
COMPOSER-007 |
composer.json requires a known-compromised package version | HIGH | Composer | |
COMPOSER-008 |
composer.json allow-plugins permits any plugin to execute | HIGH | Composer | |
CP-001 |
No approval action before deploy stages | HIGH | AWS | |
CP-004 |
Legacy ThirdParty/GitHub source action (OAuth token) | HIGH | AWS | |
CP-005 |
Production Deploy stage has no preceding ManualApproval | MEDIUM | AWS | |
CP-007 |
CodePipeline v2 PR trigger accepts all branches | HIGH | AWS | |
DEV-008 |
Credential-shaped literal in a developer-environment config | CRITICAL | Developer environment | |
DF-001 |
FROM image not pinned to sha256 digest | HIGH | Dockerfile | 🔧 fix |
DF-003 |
ADD pulls remote URL without integrity verification | HIGH | Dockerfile | |
DF-004 |
RUN executes a remote script via curl-pipe / wget-pipe | HIGH | Dockerfile | |
DF-006 |
ENV or ARG carries a credential-shaped literal value | CRITICAL | Dockerfile | |
DF-009 |
ADD used where COPY would suffice | LOW | Dockerfile | |
DF-010 |
apt-get dist-upgrade / upgrade pulls unknown package versions | LOW | Dockerfile | |
DF-019 |
COPY/ADD source path looks like a credential file | HIGH | Dockerfile | 🔧 fix |
DF-020 |
ARG declares a credential-named build argument | HIGH | Dockerfile | 🔧 fix |
DF-021 |
RUN pip install bypasses TLS or uses an HTTP index | HIGH | Dockerfile | |
DF-022 |
RUN uses npm install instead of npm ci | MEDIUM | Dockerfile | |
DF-025 |
RUN writes a registry auth token into a Docker layer | CRITICAL | Dockerfile | |
DF-026 |
ENV disables Node.js TLS certificate verification | HIGH | Dockerfile | |
DF-027 |
ENV disables Python HTTPS certificate verification | HIGH | Dockerfile | |
DF-028 |
ENV disables Git TLS certificate verification | HIGH | Dockerfile | |
DF-029 |
ENV neuters Python requests CA bundle | HIGH | Dockerfile | |
DF-031 |
COPY --from external image not pinned to sha256 digest | HIGH | Dockerfile | |
DR-001 |
Step image not pinned to a digest | HIGH | Drone CI | |
DR-004 |
Literal credential in step environment / settings | CRITICAL | Drone CI | |
DR-005 |
Plugin step uses a floating image tag | HIGH | Drone CI | |
DR-006 |
TLS verification disabled in step commands | HIGH | Drone CI | 🔧 fix |
DR-008 |
Step uses pull: never (skips registry verification) |
MEDIUM | Drone CI | |
DR-010 |
Step commands run unpinned package installs | MEDIUM | Drone CI | |
DR-012 |
Service container image not pinned to digest | HIGH | Drone CI | |
DR-014 |
Step pipes a remote download into a shell interpreter | HIGH | Drone CI | 🔧 fix |
DR-015 |
Pipeline clone enables recursive submodule cloning | MEDIUM | Drone CI | |
DR-018 |
Secret-named variable echoed / printed in a step command | HIGH | Drone CI | |
ECR-002 |
Image tags are mutable | HIGH | AWS | |
ECR-006 |
ECR pull-through cache rule uses an untrusted upstream | HIGH | AWS | |
ENTRA-001 |
Service principal assigned Global Administrator | CRITICAL | Azure Cloud | |
ENTRA-002 |
App registration credential valid beyond 180 days | HIGH | Azure Cloud | |
ENTRA-003 |
Service principal uses password credential | HIGH | Azure Cloud | |
ENTRA-004 |
No Conditional Access policy requiring MFA for admins | HIGH | Azure Cloud | |
ENTRA-005 |
No Conditional Access policy restricting external users | MEDIUM | Azure Cloud | |
ENTRA-006 |
No Conditional Access sign-in risk policy | HIGH | Azure Cloud | |
GAR-001 |
Artifact Registry repository has no vulnerability scanning | HIGH | GCP | |
GAR-002 |
Artifact Registry repository is publicly readable | HIGH | GCP | |
GAR-003 |
Artifact Registry has no cleanup policy | MEDIUM | GCP | |
GCB-001 |
Cloud Build step image not pinned by digest | HIGH | Cloud Build | 🔧 fix |
GCB-002 |
Cloud Build uses the default service account | HIGH | Cloud Build | |
GCB-003 |
Secret Manager value referenced in step args | HIGH | Cloud Build | |
GCB-004 |
dynamicSubstitutions on with user substitutions in step args | HIGH | Cloud Build | |
GCB-007 |
availableSecrets references versions/latest |
MEDIUM | Cloud Build | 🔧 fix |
GCB-010 |
Remote script piped to shell interpreter | HIGH | Cloud Build | |
GCB-011 |
TLS / certificate verification bypass | HIGH | Cloud Build | 🔧 fix |
GCB-012 |
Credential-shaped literal in pipeline body | CRITICAL | Cloud Build | 🔧 fix |
GCB-013 |
Package install bypasses registry integrity (git / path / tarball) | MEDIUM | Cloud Build | |
GCB-017 |
Image-producing build does not request SLSA provenance | MEDIUM | Cloud Build | |
GCB-018 |
Legacy KMS secrets block in use (prefer availableSecrets / Secret Manager) | MEDIUM | Cloud Build | |
GCB-020 |
serviceAccount points at the default Cloud Build service account | HIGH | Cloud Build | |
GCB-025 |
Build has no tags for audit / discoverability | LOW | Cloud Build | |
GCB-028 |
Secret-named variable echoed / printed in a build step | HIGH | Cloud Build | |
GCCE-001 |
Compute instance does not have Shielded VM enabled | MEDIUM | GCP | |
GCCE-002 |
Compute instance does not have OS Login enabled | MEDIUM | GCP | |
GCIAM-001 |
Service account has Owner or Editor role on project | CRITICAL | GCP | |
GCIAM-002 |
Service account has user-managed key | HIGH | GCP | |
GCIAM-003 |
Service account token creator granted without constraint | HIGH | GCP | |
GCIAM-004 |
Compute instance uses default service account | HIGH | GCP | |
GCIAM-005 |
Domain-restricted sharing constraint not enforced | MEDIUM | GCP | |
GCIAM-006 |
Service account key older than 90 days | HIGH | GCP | |
GCKMS-001 |
KMS key rotation period exceeds 365 days | MEDIUM | GCP | |
GCKMS-002 |
KMS key IAM policy grants public access | HIGH | GCP | |
GCKMS-004 |
KMS key ring IAM has overly broad bindings | HIGH | GCP | |
GCKMS-005 |
KMS key has primary version scheduled for destruction | MEDIUM | GCP | |
GCLOG-001 |
Cloud Audit Logs not enabled for all services | HIGH | GCP | |
GCLOG-002 |
No log sink configured for audit logs | MEDIUM | GCP | |
GCLOG-003 |
Log bucket retention less than 365 days | MEDIUM | GCP | |
GCLOG-004 |
VPC Flow Logs not enabled on subnet | MEDIUM | GCP | |
GCLOG-005 |
Firewall rule logging not enabled | MEDIUM | GCP | |
GCLOG-006 |
Critical service missing Data Access audit log types | MEDIUM | GCP | |
GCLOG-007 |
No log metric filter for IAM policy changes | MEDIUM | GCP | |
GCLOG-008 |
No log metric filter for firewall rule changes | MEDIUM | GCP | |
GCLOG-009 |
No log metric filter for route changes | MEDIUM | GCP | |
GCLOG-010 |
No log metric filter for Cloud SQL config changes | MEDIUM | GCP | |
GCLOG-011 |
No log metric filter for custom role changes | MEDIUM | GCP | |
GCRUN-002 |
Cloud Run service or function uses default compute SA | HIGH | GCP | |
GCRUN-003 |
Cloud Run service has zero minimum instances | LOW | GCP | |
GCS-001 |
Cloud Storage bucket is publicly accessible | HIGH | GCP | |
GCS-002 |
Bucket does not enforce uniform bucket-level access | MEDIUM | GCP | |
GCS-003 |
Bucket versioning not enabled | MEDIUM | GCP | |
GCS-005 |
Cloud Storage bucket access logging not enabled | MEDIUM | GCP | |
GCSQL-002 |
Cloud SQL instance does not have automated backups enabled | MEDIUM | GCP | |
GCSQL-003 |
Cloud SQL instance does not require SSL connections | HIGH | GCP | |
GCSQL-004 |
Cloud SQL instance does not have IAM authentication enabled | MEDIUM | GCP | |
GCSQL-005 |
Cloud SQL instance does not have point-in-time recovery enabled | MEDIUM | GCP | |
GEM-001 |
Gemfile present without a sibling Gemfile.lock | HIGH | RubyGems | |
GEM-002 |
Gemfile gem entry uses a floating version constraint | MEDIUM | RubyGems | |
GEM-005 |
Gemfile gem with git: / github: source missing a ref SHA pin | HIGH | RubyGems | |
GEM-006 |
Gemfile requires a known-compromised gem version | HIGH | RubyGems | |
GEM-011 |
Gemfile registers a Bundler plugin that runs at install time | HIGH | RubyGems | |
GEM-012 |
Gemfile gem pinned to a per-gem :source | MEDIUM | RubyGems | |
GEM-013 |
Gemfile git gem fetched over an insecure transport | HIGH | RubyGems | |
GHA-001 |
Action not pinned to commit SHA | HIGH | GitHub Actions | 🔧 fix |
GHA-002 |
pull_request_target checks out PR head | CRITICAL | GitHub Actions | 🔧 fix |
GHA-004 |
Workflow permissions block missing or overprovisioned | MEDIUM | GitHub Actions | 🔧 fix |
GHA-005 |
AWS auth uses long-lived access keys | MEDIUM | GitHub Actions | 🔧 fix |
GHA-008 |
Credential-shaped literal in workflow body | CRITICAL | GitHub Actions | 🔧 fix |
GHA-014 |
Deploy job missing environment binding | MEDIUM | GitHub Actions | 🔧 fix |
GHA-018 |
Package install from insecure source | HIGH | GitHub Actions | 🔧 fix |
GHA-019 |
GITHUB_TOKEN written to persistent storage | CRITICAL | GitHub Actions | 🔧 fix |
GHA-022 |
Dependency update command bypasses lockfile pins | MEDIUM | GitHub Actions | 🔧 fix |
GHA-024 |
No SLSA provenance attestation produced | MEDIUM | GitHub Actions | |
GHA-025 |
Reusable workflow not pinned to commit SHA | HIGH | GitHub Actions | |
GHA-030 |
OIDC token requested without environment-protected job | HIGH | GitHub Actions | |
GHA-033 |
Secret value echoed / printed in a run: block | CRITICAL | GitHub Actions | |
GHA-034 |
Reusable workflow called with secrets: inherit | MEDIUM | GitHub Actions | 🔧 fix |
GHA-037 |
actions/checkout persists GITHUB_TOKEN into .git/config | HIGH | GitHub Actions | 🔧 fix |
GHA-039 |
services / container credentials embedded as literal in workflow | CRITICAL | GitHub Actions | |
GHA-040 |
Action reference matches a known-compromised SHA or tag | CRITICAL | GitHub Actions | |
GHA-041 |
Action upstream repo has a single contributor | MEDIUM | GitHub Actions | |
GHA-042 |
Action upstream repo is newly created | MEDIUM | GitHub Actions | |
GHA-043 |
Low-star action runs with sensitive permissions | HIGH | GitHub Actions | |
GHA-047 |
Action ref resolves to a recently committed tag or SHA | MEDIUM | GitHub Actions | |
GHA-048 |
Workflow step writes a file under .github/workflows/ | CRITICAL | GitHub Actions | |
GHA-049 |
Workflow step makes a privileged git write (cross-repo or actions[bot] bypass) | HIGH | GitHub Actions | |
GHA-051 |
services / container image is not pinned by digest | HIGH | GitHub Actions | |
GHA-054 |
actions/checkout with ssh-key persists SSH credential in repo | HIGH | GitHub Actions | 🔧 fix |
GHA-055 |
Reusable workflow outputs derive a secret or caller-input value | HIGH | GitHub Actions | |
GHA-056 |
Workflow body contains a known supply-chain worm indicator | CRITICAL | GitHub Actions | |
GHA-059 |
npm install without registry-signature verification step | MEDIUM | GitHub Actions | |
GHA-060 |
pip install without --require-hashes verification |
MEDIUM | GitHub Actions | |
GHA-061 |
GitHub App token minted without a permissions: filter |
MEDIUM | GitHub Actions | |
GHA-062 |
OIDC subject claim in sibling IaC grants overly broad scope | HIGH | GitHub Actions | |
GHA-088 |
Action uses: slug is a near-edit of a top-traffic action |
HIGH | GitHub Actions | |
GHA-089 |
Action upstream repo is archived | MEDIUM | GitHub Actions | |
GHA-090 |
Action SHA pin references a commit absent from the claimed repo | HIGH | GitHub Actions | |
GHA-091 |
Action upstream repo is missing (takeover-eligible namespace) | HIGH | GitHub Actions | |
GHA-094 |
Action SHA pin matches the current tip of an upstream branch | MEDIUM | GitHub Actions | |
GHA-096 |
Action reference has a known GHSA vulnerability | HIGH | GitHub Actions | |
GHA-098 |
Pipeline deploys without a security scan gate | MEDIUM | GitHub Actions | |
GHA-099 |
Deployment job has a secret-shaped plaintext env var | CRITICAL | GitHub Actions | |
GHA-100 |
cosign verify without certificate identity binding |
HIGH | GitHub Actions | |
GHA-106 |
AI agent CLI runs with a write-scoped GITHUB_TOKEN | HIGH | GitHub Actions | |
GHA-110 |
Workflow disables Go module checksum / sum-db verification | HIGH | GitHub Actions | |
GHA-111 |
AI agent generates IaC applied to the cloud in the same job | HIGH | GitHub Actions | |
GHA-113 |
OIDC trusted-publishing job without an environment gate | HIGH | GitHub Actions | |
GHA-114 |
Package-publish workflow runs on an unrestricted push trigger | HIGH | GitHub Actions | |
GHA-116 |
Workflow serializes the entire secrets context (toJSON(secrets)) | HIGH | GitHub Actions | |
GHA-123 |
Agentic CLI output lands without human review | HIGH | GitHub Actions | |
GL-001 |
Image not pinned to specific version or digest | HIGH | GitLab CI | 🔧 fix |
GL-003 |
Variables contain literal secret values | CRITICAL | GitLab CI | |
GL-004 |
Deploy job lacks manual approval or environment gate | MEDIUM | GitLab CI | |
GL-005 |
include: pulls remote / project without pinned ref | HIGH | GitLab CI | |
GL-008 |
Credential-shaped literal in pipeline body | CRITICAL | GitLab CI | 🔧 fix |
GL-009 |
Image pinned to version tag rather than sha256 digest | LOW | GitLab CI | |
GL-013 |
AWS auth uses long-lived access keys | MEDIUM | GitLab CI | 🔧 fix |
GL-018 |
Package install from insecure source | HIGH | GitLab CI | 🔧 fix |
GL-020 |
CI_JOB_TOKEN written to persistent storage | CRITICAL | GitLab CI | 🔧 fix |
GL-022 |
Dependency update command bypasses lockfile pins | MEDIUM | GitLab CI | 🔧 fix |
GL-024 |
No SLSA provenance attestation produced | MEDIUM | GitLab CI | |
GL-025 |
Pipeline contains indicators of malicious activity | CRITICAL | GitLab CI | |
GL-028 |
services: image not pinned | HIGH | GitLab CI | |
GL-029 |
Manual deploy job defaults to allow_failure: true | MEDIUM | GitLab CI | |
GL-030 |
trigger: include: pulls child pipeline without pinned ref | HIGH | GitLab CI | |
GL-031 |
id_tokens: missing audience pin or environment binding | HIGH | GitLab CI | |
GL-034 |
npm install without registry-signature verification step | MEDIUM | GitLab CI | |
GL-035 |
pip install without --require-hashes verification |
MEDIUM | GitLab CI | |
GL-036 |
Secret-named variable echoed / printed in a script block | HIGH | GitLab CI | |
GL-037 |
Pipeline disables Go module checksum / sum-db verification | HIGH | GitLab CI | |
GL-038 |
CI_DEBUG_TRACE / debug logging dumps secrets to the job log | HIGH | GitLab CI | |
GL-040 |
CI_JOB_TOKEN used for cross-project / remote access | HIGH | GitLab CI | |
GL-042 |
include: component pulls a CI/CD component without a pinned version | HIGH | GitLab CI | |
GL-049 |
Agentic CLI output lands without human review | HIGH | GitLab CI | |
HARNESS-001 |
Step image not pinned to a digest | HIGH | Harness CI/CD | |
HARNESS-004 |
Literal credential in a pipeline / stage variable | CRITICAL | Harness CI/CD | 🔧 fix |
HARNESS-005 |
Step pipes a remote download into a shell interpreter | HIGH | Harness CI/CD | 🔧 fix |
HARNESS-006 |
TLS verification disabled in step commands | HIGH | Harness CI/CD | 🔧 fix |
HARNESS-009 |
Agentic CLI output lands without human review | HIGH | Harness CI/CD | |
HARNESS-013 |
Secret-named variable echoed / printed in a step command | HIGH | Harness CI/CD | |
HELM-002 |
Chart.lock missing per-dependency digests | HIGH | Helm | 🔧 fix |
HELM-003 |
Chart dependency declared on a non-HTTPS repository | HIGH | Helm | 🔧 fix |
HELM-004 |
Chart dependency version is a range, not an exact pin | MEDIUM | Helm | |
HELM-008 |
Chart.lock generated more than 90 days ago | MEDIUM | Helm | |
HELM-009 |
Chart home / sources URL uses a non-HTTPS scheme | LOW | Helm | |
HELM-014 |
Chart dependency matches a known-compromised chart registry | HIGH | Helm | |
HELM-015 |
OCI chart dependency pinned only by a mutable tag | HIGH | Helm | |
HELM-016 |
values.yaml ships a default secret or credential | HIGH | Helm | |
HELM-017 |
Template renders an untrusted value through tpl | HIGH | Helm | |
IAM-001 |
CI/CD role has AdministratorAccess policy attached | CRITICAL | AWS | |
IAM-002 |
CI/CD role has wildcard Action in attached policy | HIGH | AWS | |
IAM-003 |
CI/CD role has no permission boundary | MEDIUM | AWS | |
IAM-004 |
CI/CD role can PassRole to any role | HIGH | AWS | |
IAM-005 |
CI/CD role trust policy missing sts:ExternalId | HIGH | AWS | |
IAM-006 |
Sensitive actions granted with wildcard Resource | MEDIUM | AWS | |
IAM-007 |
IAM user has access key older than 90 days | HIGH | AWS | |
IAM-008 |
OIDC-federated role trust policy missing audience or subject pin | HIGH | AWS | |
IAM-009 |
Azure federated identity credential trusts a broad GitHub subject | HIGH | Terraform | |
IAM-010 |
GCP workload identity provider has no repository attribute condition | HIGH | Terraform | |
JF-001 |
Shared library not pinned to a tag or commit | HIGH | Jenkins | |
JF-004 |
AWS auth uses long-lived access keys via withCredentials | MEDIUM | Jenkins | 🔧 fix |
JF-005 |
Deploy stage missing manual input approval |
MEDIUM | Jenkins | |
JF-008 |
Credential-shaped literal in pipeline body | CRITICAL | Jenkins | 🔧 fix |
JF-009 |
Agent docker image not pinned to sha256 digest | HIGH | Jenkins | |
JF-010 |
Long-lived AWS keys exposed via environment {} block | HIGH | Jenkins | 🔧 fix |
JF-018 |
Package install from insecure source | HIGH | Jenkins | 🔧 fix |
JF-022 |
Dependency update command bypasses lockfile pins | MEDIUM | Jenkins | 🔧 fix |
JF-024 |
input approval step missing submitter restriction |
MEDIUM | Jenkins | |
JF-026 |
build job: trigger ignores downstream failure |
MEDIUM | Jenkins | |
JF-028 |
No SLSA provenance attestation produced | MEDIUM | Jenkins | |
JF-029 |
Jenkinsfile contains indicators of malicious activity | CRITICAL | Jenkins | |
JF-033 |
withCredentials secret leaked via Groovy ${...} interpolation in sh step | HIGH | Jenkins | |
JF-034 |
Pipeline declares a password() build parameter | HIGH | Jenkins | |
JF-035 |
httpRequest step disables SSL verification | HIGH | Jenkins | |
JF-038 |
Agentic CLI output lands without human review | HIGH | Jenkins | |
JF-042 |
Secret-named variable echoed / printed in a build step | HIGH | Jenkins | |
MODEL-001 |
Base model pulled without a pinned reference | MEDIUM | Modelfile | |
MODEL-002 |
Base model pulled from a third-party hub | MEDIUM | Modelfile | |
MODEL-003 |
Base model loaded from a local unverified weights blob | LOW | Modelfile | |
MODEL-004 |
LoRA adapter applied from a remote source | MEDIUM | Modelfile | |
MODEL-005 |
Vendored model config declares custom loader code (auto_map) | MEDIUM | Modelfile | |
MVN-001 |
pom.xml dependency uses a floating version range | MEDIUM | maven | |
MVN-002 |
pom.xml depends on a mutable SNAPSHOT version | MEDIUM | maven | |
MVN-003 |
pom.xml declares a plaintext-HTTP Maven repository | HIGH | maven | |
MVN-004 |
pom.xml dependency omits an explicit <version> |
MEDIUM | maven | |
MVN-005 |
Maven repository accepts artifacts without strict checksum gating | MEDIUM | maven | |
MVN-006 |
pom.xml pins a known-compromised Maven Central artifact version | CRITICAL | maven | |
MVN-007 |
settings.xml mirror routes external traffic through one repo | MEDIUM | maven | |
MVN-008 |
Direct dependency was published within the cooldown window | HIGH | maven | |
MVN-009 |
Maven artifact has a known OSV advisory | CRITICAL | maven | |
MVN-010 |
settings.xml |
HIGH | maven | |
MVN-011 |
Maven repository URL embeds plaintext credentials | HIGH | maven | |
MVN-012 |
pom.xml build plugin uses a floating version | HIGH | maven | |
MVN-013 |
pom.xml build extension uses a floating version | HIGH | maven | |
MVN-014 |
Maven Wrapper distributionUrl lacks distributionSha256Sum | MEDIUM | maven | |
MVN-015 |
pom.xml binds a build-time code-execution plugin to the lifecycle | HIGH | maven | |
MVN-016 |
build.gradle re-enables HTTP via allowInsecureProtocol = true | HIGH | maven | |
MVN-017 |
settings.xml |
HIGH | maven | |
MVN-018 |
distributionManagement release repository accepts SNAPSHOTs | MEDIUM | maven | |
NPM-001 |
package.json dependency uses a floating version range | MEDIUM | npm | |
NPM-002 |
package-lock.json entry missing integrity hash | HIGH | npm | |
NPM-003 |
package-lock.json entry resolves from a non-registry source | HIGH | npm | |
NPM-005 |
package.json git dependency uses a mutable ref | HIGH | npm | |
NPM-006 |
package-lock.json pins a known-compromised package version | CRITICAL | npm | |
NPM-008 |
Direct dependency was published within the cooldown window | HIGH | npm | |
NPM-009 |
New transitive dependency added since the base ref | HIGH | npm | |
NPM-010 |
npm package has a known OSV advisory | CRITICAL | npm | |
NPM-011 |
package.json files field includes secret-shaped paths | HIGH | npm | |
NPM-013 |
package.json files field uses an overly broad pattern | HIGH | npm | |
NUGET-001 |
Floating NuGet version range | MEDIUM | NuGet | |
NUGET-002 |
Wildcard prerelease NuGet version | MEDIUM | NuGet | |
NUGET-003 |
PackageReference missing explicit version | MEDIUM | NuGet | |
NUGET-004 |
HTTP-only NuGet package source | HIGH | NuGet | |
NUGET-005 |
Known-compromised NuGet package version | CRITICAL | NuGet | |
NUGET-006 |
No NuGet lock file for reproducible restores | MEDIUM | NuGet | |
NUGET-007 |
Multiple NuGet sources without packageSourceMapping | HIGH | NuGet | |
NUGET-008 |
NuGet package published within the cooldown window | HIGH | NuGet | |
NUGET-009 |
NuGet package has a known OSV advisory | CRITICAL | NuGet | |
NUGET-010 |
NuGet.config stores a feed credential in plaintext | HIGH | NuGet | |
NUGET-011 |
packageSourceMapping pattern is a global wildcard | HIGH | NuGet | |
NUGET-012 |
NuGet.config does not enforce signatureValidationMode = require | HIGH | NuGet | |
NUGET-013 |
dotnet-tools.json entry lacks a version pin | HIGH | NuGet | |
NUGET-014 |
NuGet.config source URL embeds plaintext credentials | HIGH | NuGet | |
NUGET-015 |
PackageReference VersionOverride defeats Central Package Management | MEDIUM | NuGet | |
NUGET-016 |
Private feed without |
HIGH | NuGet | |
NUGET-017 |
Public gallery active alongside a private feed, not disabled | HIGH | NuGet | |
NUGET-018 |
Project runs build-time MSBuild logic at restore/build | HIGH | NuGet | |
NUGET-019 |
signatureValidationMode=require with no trusted signers | HIGH | NuGet | |
OCI-004 |
Image layer references an arbitrary URL (foreign layer) | HIGH | OCI manifest | |
OCI-007 |
Image manifest uses legacy schemaVersion 1 (no content addressing) | HIGH | OCI manifest | |
OCI-008 |
Manifest references digest using unsupported hash algorithm | HIGH | OCI manifest | |
ORG-013 |
Organization ruleset is in evaluate / disabled mode (not enforced) | MEDIUM | SCM org governance | |
PBAC-005 |
CodePipeline stage action roles mirror the pipeline role | HIGH | AWS | |
PYPI-001 |
requirements.txt entry missing an exact version pin | MEDIUM | PyPI | |
PYPI-002 |
requirements.txt missing hash pinning (--require-hashes / --hash=) | HIGH | PyPI | |
PYPI-003 |
requirements.txt uses an HTTP index or disables TLS verification | HIGH | PyPI | |
PYPI-004 |
requirements.txt VCS dependency uses a mutable ref | HIGH | PyPI | |
PYPI-005 |
requirements.txt declares --extra-index-url (dependency-confusion surface) | HIGH | PyPI | |
PYPI-006 |
requirements.txt pins a known-compromised PyPI package version | CRITICAL | PyPI | |
PYPI-008 |
Direct dependency was published within the cooldown window | HIGH | PyPI | |
PYPI-009 |
PyPI package has a known OSV advisory | CRITICAL | PyPI | |
PYPI-015 |
requirements.txt installs from a direct artifact URL | HIGH | PyPI | |
PYPI-016 |
requirements.txt repoints the primary index at a non-PyPI host | HIGH | PyPI | |
PYPI-017 |
requirements.txt uses a remote --find-links source | MEDIUM | PyPI | |
PYPI-018 |
requirements.txt forces source builds via --no-binary | MEDIUM | PyPI | |
SCM-007 |
Default branch protection allows force-pushes | HIGH | SCM | |
SCM-008 |
Default branch protection does not require status checks | MEDIUM | SCM | |
SCM-009 |
Default branch protection allows branch deletion | HIGH | SCM | |
SCM-022 |
Repo Actions permissions allow any source (no allow-list) | MEDIUM | SCM | |
SCM-029 |
Repository ruleset is in evaluate / disabled mode (not enforced) | MEDIUM | SCM | |
SCM-030 |
Repository ruleset has bypass actor with bypass_mode: always | HIGH | SCM | |
SCM-033 |
Active ruleset doesn't require status checks | MEDIUM | SCM | |
SCM-034 |
Active ruleset doesn't block force-push | MEDIUM | SCM | |
SCM-035 |
Active ruleset doesn't block branch deletion | LOW | SCM | |
SCM-038 |
Active ruleset doesn't require linear history | LOW | SCM | |
SCM-039 |
Active ruleset doesn't pin a required workflow | LOW | SCM | |
SCM-040 |
Active ruleset doesn't gate on code scanning results | LOW | SCM | |
SCM-048 |
Org codespace secret scoped to all repos | HIGH | SCM | |
SCM-049 |
Classic PAT used where a fine-grained token suffices | MEDIUM | SCM | |
TAINT-001 |
Untrusted input flows across step boundaries via step outputs | HIGH | GitHub Actions | |
TAINT-002 |
Untrusted input flows across jobs via jobs.<id>.outputs: |
HIGH | GitHub Actions | |
TAINT-003 |
Untrusted input forwarded into reusable workflow with: |
HIGH | GitHub Actions | |
TAINT-004 |
Untrusted input flows across jobs via dotenv artifact | HIGH | GitLab CI | |
TAINT-005 |
Untrusted input flows across steps via buildkite-agent meta-data |
HIGH | Buildkite | |
TAINT-006 |
Untrusted input flows across tasks via Tekton results |
HIGH | Tekton | |
TAINT-007 |
Untrusted input flows across templates via Argo outputs.parameters |
HIGH | Argo Workflows | |
TAINT-008 |
Untrusted input flows via GitLab extends: template inheritance |
HIGH | GitLab CI | |
TAINT-009 |
Environment-protected secret flows to unprotected job | HIGH | GitHub Actions | |
TF-001 |
Plan declares aws_iam_access_key (long-lived credential) | HIGH | Terraform | |
TF-002 |
Stateful data-store resource carries a plaintext secret | CRITICAL | Terraform | |
TKN-001 |
Tekton step image not pinned to a digest | HIGH | Tekton | |
TKN-005 |
Literal secret value in Tekton step env or param default | CRITICAL | Tekton | 🔧 fix |
TKN-007 |
Tekton run uses the default ServiceAccount | MEDIUM | Tekton | |
TKN-011 |
No SLSA provenance attestation produced | MEDIUM | Tekton | |
TKN-014 |
Tekton step script runs unpinned package install | MEDIUM | Tekton | |
TKN-016 |
Remote resolver taskRef / pipelineRef not pinned to an immutable revision | HIGH | Tekton | |
TKN-017 |
Secret-named variable echoed / printed in a step script | HIGH | Tekton |
Not covered
- Source track (branch protection, two-reviewer enforcement, retained history). Scanned via the dedicated SCM posture provider instead, which probes GitHub / GitLab / Bitbucket REST APIs.
- Dependency track. Requires package-manifest and lockfile analysis across the dependency graph; out of scope for a CI/CD configuration scan.
This page is generated. Edit pipeline_check/core/standards/data/slsa.py (mappings) or scripts/gen_standards_docs.py (intro / per-control prose) and run python scripts/gen_standards_docs.py slsa.