This page collects WhisperX intelligence signals tagged #CI/CD Security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw has been verified as exploitable in the slashben/kubescape GitHub repository, posing a direct threat to its CI/CD pipeline integrity. The vulnerability, identified as CACHE-001, is a cache poisoning attack enabled by a shared cache scope between untrusted and trusted workflows. Automated pentes...
开源容器安全工具 Kubescape 的 GitHub Actions 工作流中被发现存在潜在的脚本注入漏洞(INJ-001),尽管自动化渗透测试代理将其原始严重性标记为“高危”,但后续验证却将其降级为“低危”,这一过程揭示了开源项目安全评估中的关键盲点。该漏洞涉及对 `github.refname` 等不可信输入的处理,理论上可能允许攻击者通过注入恶意命令来破坏 CI/CD 流水线。然而,验证结果表明,所有报告的注入点要么位于未使用的复合操作中(如 `tag-action` 在仓库中无调用者),要么依赖于未定义的环境变量(如 `DOCKERCMD` 从未被设置),导致实际可被利用的攻击路径并不存在。 此次发现的核心在于 `sla...
A GitHub repository has taken significant steps to harden its software supply chain, directly addressing multiple high and moderate-severity security vulnerabilities flagged by Dependabot. The remediation effort focused on two critical fronts: patching exploitable npm dependencies and locking down the CI/CD pipeline ag...
A high-risk command injection vulnerability exists in a public GitHub Actions workflow example, exposing repositories to potential remote code execution. The flaw resides in the `examples/claude-agentic-pipeline.yml` file, where user-controlled input from `github.event.label.name` is directly used in shell variable exp...
A critical security vulnerability has been flagged in the automated release pipeline of the public GitHub repository `ben-ranford_cellin`. SonarCloud analysis identified three high-severity `githubactions:S7630` vulnerabilities, warning that the workflow's release process is exposed to potential script injection attack...
A critical security vulnerability pattern has been identified in GitHub Actions workflows, exposing sensitive tokens and secrets. An automated scan of a major open-source repository revealed 422 instances where authentication tokens and secrets are directly interpolated into `run:` blocks within CI/CD pipelines. This p...
GitHub has mandated new security validation checks after discovering a class of script injection vulnerabilities within its own internal workflows. The platform is now requiring `actionlint` and `zizmor` as mandatory checks on every pull request that modifies `.github/workflows/**` files. This move is a direct response...
A high-severity security vulnerability has been flagged in a key automation script, exposing the codebase to potential shell injection attacks. The automated scanner `bandit` identified the use of `subprocess.Popen` with `shell=True` in the file `scripts/cypress_run.py` at line 83. This coding pattern, classified under...
A newly disclosed vulnerability in the widely used Python testing framework, pytest, exposes a critical path for local privilege escalation and denial-of-service attacks on UNIX systems. The flaw, tracked as CVE-2025-71176, stems from the framework's reliance on predictable directory names under `/tmp/pytest-of-{user}`...
A recent update to a GitHub Actions workflow has exposed a critical security oversight: the project's automated vulnerability scanner was silently skipping all Python dependencies, leaving a major attack surface unmonitored. The fix, which adds a `trivy.yaml` configuration file and updates the `trivy-action` to version...
A critical security gap in the CI/CD pipeline has left a multi-language monorepo exposed, allowing secrets, vulnerable code, and risky dependencies to potentially merge undetected. The absence of automated security controls was proven during an internal audit, which discovered a live Anthropic API key present on disk i...
A security vulnerability in a code review GitHub Action's `prepare` workflow allows malicious pull requests to read and exfiltrate sensitive system files from the runner environment. The flaw, located in the `src/prepare/main.ts` module, stems from the action accepting a `review-reference-file` input and reading the sp...
A shell injection vulnerability has been identified in `.github/workflows/ai-qa-responder.yml`, the GitHub Actions workflow handling automated responses in AI-powered Q&A discussions. The flaw affects two user-controlled GitHub event values interpolated directly via `${{ }}` expressions inside `run:` blocks: `github.ev...
A new attack pattern targeting the open source supply chain has emerged over the past year, with attackers systematically exploiting GitHub Actions workflows to exfiltrate secrets such as API keys. These compromises serve a dual purpose: enabling attackers to publish malicious packages from controlled infrastructure wh...
A compromised version of the Checkmarx Jenkins AST Plugin was published to the Jenkins Marketplace late last week, security researchers confirmed. The incident marks another addition to a growing list of supply chain attacks targeting open-source development ecosystems and software build pipelines. While details about ...