Kubescape Security Flaw: 'Unconditional Secrets Inheritance' (SEC-002) Verified Exploitable in CI/CD Pipeline

A critical security vulnerability, designated SEC-002, has been verified as exploitable in the `slashben/kubescape` GitHub repository. The flaw, initially rated as medium severity, has been escalated to HIGH following active penetration testing. The pentest agent confirmed the vulnerability can be successfully exploited through code injection during build or test execution, posing a direct threat to the repository's CI/CD pipeline integrity.

The core of the exploit lies in two key weaknesses. First, the workflow is triggered by `pullrequest` events, allowing any external contributor to initiate it simply by opening a pull request. While a `paths-ignore` rule attempts to block modifications to the `.github/` directory, this does not prevent the injection of malicious code elsewhere. Second, and more critically, is the mechanism of "Unconditional Secrets Inheritance." The calling workflow (`00-pr-scanner.yaml`) is configured to pass `secrets: inher`—a configuration that appears to grant downstream jobs unconditional access to the repository's secrets.

This combination creates a high-risk scenario where a malicious actor could submit a pull request with injected code, trigger the vulnerable workflow, and potentially gain access to sensitive secrets stored within the GitHub environment. The verification status as "exploitable" underscores that this is not a theoretical concern but a practical attack vector. For projects using or forking this repository, the flaw represents a significant supply chain risk, demanding immediate review of CI/CD configurations and secret management practices to prevent credential exposure and unauthorized access.