devops-engineer

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow references GitHub Action repositories that are fetched and executed at runtime (e.g., actions/checkout@v4 and aquasecurity/trivy-action@master — github.com/actions/checkout and github.com/aquasecurity/trivy-action), which means external code is pulled during execution and the skill relies on those actions as workflow steps.