platform-engineering
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): In
examples/crossplane/database-composition.yaml, theconnection-secretresource defines a connection string templatepostgresql://user:password@%s:5432/%s. This literal string is used to populate Kubernetes secrets, meaning all databases created through this composition will share the same hardcoded credentials, violating secure credential management practices. - EXTERNAL_DOWNLOADS (LOW): The files
examples/argocd/application-set.yamlandexamples/backstage/template-example.yamlreference external Git repositories atgithub.com/my-org/infrastructure. These sources are untrusted and define the deployment state or infrastructure changes. - Indirect Prompt Injection (LOW): The Backstage template in
examples/backstage/template-example.yamlinterpolates user-provided parameters directly into automated GitHub workflows. 1. Ingestion points: User-providedparameters.nameandparameters.descriptionfields. 2. Boundary markers: Absent; inputs are directly placed into Pull Request titles and descriptions. 3. Capability inventory: The template possesses capabilities to create new GitHub repositories and submit Pull Requests to infrastructure repositories. 4. Sanitization: While thenamefield is restricted by a regex pattern, thedescriptionfield is entirely unsanitized, allowing potential attackers to inject malicious text or instructions into the organization's repository metadata and PR history.
Recommendations
- AI detected serious security threats
Audit Metadata