cicd-pipeline-setup

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The CI workflows include runtime "uses" and image pulls that fetch and execute remote code (for example snyk/actions/node@master -> https://github.com/snyk/actions and the Trivy image aquasec/trivy:latest -> https://hub.docker.com/r/aquasec/trivy), so these are required external artifacts fetched at runtime that can execute code.