Created
February 9, 2026 23:42
-
-
Save lupyuen/bb047b82c7c13789272d2ee4a6a5d913 to your computer and use it in GitHub Desktop.
Zizmor Scan of NuttX GitHub Actions
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ brew install zizmor | |
| $ git clone https://github.com/apache/nuttx | |
| $ zizmor nuttx | |
| 🌈 zizmor v1.22.0 | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/actions/ci-container/action.yaml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/actions/free-disk-space/action.yaml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/dependabot.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/arch.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/build.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/check.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/doc.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/docker_linux.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/issue_labeler.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/labeler.yml | |
| INFO audit: zizmor: 🌈 completed nuttx/.github/workflows/lint.yml | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:134:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 134 | if [[ ${{ inputs.android }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:146:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 146 | if [[ ${{ inputs.dotnet }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:159:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 159 | if [[ ${{ inputs.haskell }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:173:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 173 | if [[ ${{ inputs.large-packages }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:195:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 195 | if [[ ${{ inputs.docker-images }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:208:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 208 | if [[ ${{ inputs.tool-cache }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/actions/free-disk-space/action.yaml:220:19 | |
| | | |
| 52 | run: | | |
| | --- this run block | |
| ... | |
| 220 | if [[ ${{ inputs.swap-storage }} == 'true' ]]; then | |
| | ^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates | |
| --> nuttx/.github/dependabot.yml:3:5 | |
| | | |
| 3 | - package-ecosystem: "github-actions" | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:111:22 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 111 | if [[ "${{ inputs.os }}" == "macOS" ]]; then | |
| | ^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:118:25 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 118 | numlabels=${{ steps.get-arch.outputs.numlabels }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:119:35 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 119 | labels_contain_size=${{ steps.get-arch.outputs.labels_contain_size }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:120:35 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 120 | labels_contain_arch=${{ steps.get-arch.outputs.labels_contain_arch }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:121:36 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 121 | labels_contain_board=${{ steps.get-arch.outputs.labels_contain_board }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:122:33 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 122 | arch_contains_arm=${{ steps.get-arch.outputs.arch_contains_arm }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:123:35 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 123 | arch_contains_arm64=${{ steps.get-arch.outputs.arch_contains_arm64 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:124:35 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 124 | arch_contains_riscv=${{ steps.get-arch.outputs.arch_contains_riscv }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:125:33 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 125 | arch_contains_sim=${{ steps.get-arch.outputs.arch_contains_sim }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:126:33 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 126 | arch_contains_x86=${{ steps.get-arch.outputs.arch_contains_x86 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:127:36 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 127 | arch_contains_x86_64=${{ steps.get-arch.outputs.arch_contains_x86_64 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:128:36 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 128 | arch_contains_xtensa=${{ steps.get-arch.outputs.arch_contains_xtensa }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:129:34 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 129 | board_contains_arm=${{ steps.get-arch.outputs.board_contains_arm }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:130:36 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 130 | board_contains_arm64=${{ steps.get-arch.outputs.board_contains_arm64 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:131:36 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 131 | board_contains_riscv=${{ steps.get-arch.outputs.board_contains_riscv }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:132:34 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 132 | board_contains_sim=${{ steps.get-arch.outputs.board_contains_sim }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:133:34 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 133 | board_contains_x86=${{ steps.get-arch.outputs.board_contains_x86 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:134:37 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 134 | board_contains_x86_64=${{ steps.get-arch.outputs.board_contains_x86_64 }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| info[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:135:37 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 135 | board_contains_xtensa=${{ steps.get-arch.outputs.board_contains_xtensa }} | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:137:13 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 137 | # inputs.boards is a JSON Array: ["arm-01", "risc-v-01", "xtensa-01", ...] | |
| | ^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| error[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/arch.yml:181:27 | |
| | | |
| 108 | run: | | |
| | --- this run block | |
| ... | |
| 181 | echo '${{ inputs.boards }}' | | |
| | ^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → High | |
| = note: this finding has an auto-fix | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/build.yml:97:9 | |
| | | |
| 97 | - name: Checkout nuttx repo | |
| | _________^ | |
| 98 | | uses: actions/checkout@v6 | |
| 99 | | with: | |
| 100 | | repository: apache/nuttx | |
| 101 | | ref: ${{ steps.gittargets.outputs.os_ref }} | |
| 102 | | path: sources/nuttx | |
| 103 | | fetch-depth: 1 | |
| | |________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/build.yml:107:9 | |
| | | |
| 107 | - name: Checkout apps repo | |
| | _________^ | |
| 108 | | uses: actions/checkout@v6 | |
| 109 | | with: | |
| 110 | | repository: apache/nuttx-apps | |
| 111 | | ref: ${{ steps.gittargets.outputs.apps_ref }} | |
| 112 | | path: sources/apps | |
| 113 | | fetch-depth: 1 | |
| | |________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/build.yml:377:9 | |
| | | |
| 377 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/build.yml:451:9 | |
| | | |
| 451 | - uses: actions/checkout@v6 | |
| | _________^ | |
| 452 | | # Set up Python environment and install kconfiglib | |
| | |________________________________________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| warning[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/build.yml:345:48 | |
| | | |
| 341 | run: | | |
| | --- this run block | |
| ... | |
| 345 | ./cibuild.sh -i -c -A -R testlist/${{matrix.boards}}.dat | |
| | ^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Medium | |
| = note: this finding has an auto-fix | |
| warning[template-injection]: code injection via template expansion | |
| --> nuttx/.github/workflows/build.yml:428:54 | |
| | | |
| 422 | run: | | |
| | --- this run block | |
| ... | |
| 428 | ./cibuild.sh -g -i -A -C -N -R testlist/${{matrix.boards}}.dat | |
| | ^^^^^^^^^^^^^ may expand into attacker-controllable code | |
| | | |
| = note: audit confidence → Medium | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:98:15 | |
| | | |
| 98 | uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:108:15 | |
| | | |
| 108 | uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:119:15 | |
| | | |
| 119 | uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:126:11 | |
| | | |
| 126 | uses: apache/nuttx/.github/workflows/arch.yml@master | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:166:15 | |
| | | |
| 166 | uses: actions/download-artifact@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:175:15 | |
| | | |
| 175 | uses: docker/login-action@v3 | |
| | ^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:241:15 | |
| | | |
| 241 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:256:15 | |
| | | |
| 256 | uses: actions/download-artifact@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:265:15 | |
| | | |
| 265 | uses: docker/login-action@v3 | |
| | ^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:286:15 | |
| | | |
| 286 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:295:11 | |
| | | |
| 295 | uses: apache/nuttx/.github/workflows/arch.yml@master | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:315:15 | |
| | | |
| 315 | uses: actions/download-artifact@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:325:15 | |
| | | |
| 325 | uses: actions/cache@v5 | |
| | ^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:337:15 | |
| | | |
| 337 | - uses: actions/setup-python@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:347:15 | |
| | | |
| 347 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:355:11 | |
| | | |
| 355 | uses: apache/nuttx/.github/workflows/arch.yml@master | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:377:15 | |
| | | |
| 377 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:378:15 | |
| | | |
| 378 | - uses: msys2/setup-msys2@v2 | |
| | ^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:410:15 | |
| | | |
| 410 | uses: actions/download-artifact@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:430:15 | |
| | | |
| 430 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:438:11 | |
| | | |
| 438 | uses: apache/nuttx/.github/workflows/arch.yml@master | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:451:15 | |
| | | |
| 451 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:454:15 | |
| | | |
| 454 | uses: actions/setup-python@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:464:15 | |
| | | |
| 464 | uses: actions/download-artifact@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/build.yml:482:15 | |
| | | |
| 482 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack | |
| --> nuttx/.github/workflows/build.yml:325:9 | |
| | | |
| 15 | / on: | |
| 16 | | pull_request: | |
| 17 | | paths-ignore: | |
| 18 | | - "AUTHORS" | |
| ... | | |
| 30 | | - "releases/*" | |
| 31 | | tags: | |
| | |_________- generally used when publishing artifacts generated at runtime | |
| ... | |
| 325 | uses: actions/cache@v5 | |
| | ^^^^^^^^^^^^^^^^^^^^^^ enables caching by default | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/check.yml:32:9 | |
| | | |
| 32 | - name: Checkout nuttx repo | |
| | _________^ | |
| 33 | | uses: actions/checkout@v6 | |
| 34 | | with: | |
| 35 | | repository: apache/nuttx | |
| 36 | | path: nuttx | |
| 37 | | fetch-depth: 0 | |
| | |________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/check.yml:33:15 | |
| | | |
| 33 | uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/doc.yml:38:9 | |
| | | |
| 38 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/doc.yml:38:15 | |
| | | |
| 38 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/doc.yml:39:15 | |
| | | |
| 39 | - uses: actions/setup-python@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/doc.yml:48:15 | |
| | | |
| 48 | - uses: actions/upload-artifact@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/docker_linux.yml:49:9 | |
| | | |
| 49 | - name: Checkout repository | |
| | _________^ | |
| 50 | | uses: actions/checkout@v6 | |
| | |_________________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/docker_linux.yml:50:15 | |
| | | |
| 50 | uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/docker_linux.yml:69:15 | |
| | | |
| 69 | uses: docker/setup-buildx-action@v3 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/docker_linux.yml:72:15 | |
| | | |
| 72 | uses: docker/login-action@v3 | |
| | ^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/docker_linux.yml:81:15 | |
| | | |
| 81 | uses: docker/build-push-action@v6 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/issue_labeler.yml:26:15 | |
| | | |
| 26 | uses: actions/github-script@v8 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/labeler.yml:27:9 | |
| | | |
| 27 | - name: Checkout repository | |
| | _________^ | |
| 28 | | uses: actions/checkout@v6 | |
| | |_________________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[dangerous-triggers]: use of fundamentally insecure workflow trigger | |
| --> nuttx/.github/workflows/labeler.yml:16:1 | |
| | | |
| 16 | / on: | |
| 17 | | - pull_request_target | |
| | |_______________________^ pull_request_target is almost always used insecurely | |
| | | |
| = note: audit confidence → Medium | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/labeler.yml:28:15 | |
| | | |
| 28 | uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/labeler.yml:31:15 | |
| | | |
| 31 | uses: actions/labeler@main | |
| | ^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/labeler.yml:37:15 | |
| | | |
| 37 | uses: codelytv/pr-size-labeler@v1.10.3 | |
| | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| help[artipacked]: credential persistence through GitHub Actions artifacts | |
| --> nuttx/.github/workflows/lint.yml:20:9 | |
| | | |
| 20 | - uses: actions/checkout@v6 | |
| | _________^ | |
| 21 | | with: | |
| 22 | | fetch-depth: 0 | |
| | |________________________^ does not set persist-credentials: false | |
| | | |
| = note: audit confidence → Low | |
| = note: this finding has an auto-fix | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/lint.yml:20:15 | |
| | | |
| 20 | - uses: actions/checkout@v6 | |
| | ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| error[unpinned-uses]: unpinned action reference | |
| --> nuttx/.github/workflows/lint.yml:25:15 | |
| | | |
| 25 | uses: github/super-linter@v7 | |
| | ^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy) | |
| | | |
| = note: audit confidence → High | |
| 146 findings (65 suppressed, 40 fixable): 18 informational, 9 low, 3 medium, 51 high |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment