github-workflows-pgpm
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes hardcoded credentials within its configuration templates, primarily intended for local or CI test environments.
- Evidence:
POSTGRES_PASSWORD: passwordis hardcoded in the PostgreSQL service container definitions. - Evidence:
AWS_ACCESS_KEY: minioadminandAWS_SECRET_KEY: minioadminare hardcoded for MinIO/S3 testing configurations. - [EXTERNAL_DOWNLOADS]: The skill configures the agent to download and install external software and container images.
- Evidence: The workflow installs the
pgpmCLI tool globally from NPM usingnpm install -g pgpm@${{ env.PGPM_VERSION }}. - Evidence: The configuration references Docker images hosted on
ghcr.io/constructive-io/andpyramation/(a vendor-associated account). - Evidence: It uses several GitHub Actions from well-known sources, including
actions/checkout,actions/setup-node,pnpm/action-setup, anddocker/login-action. - [COMMAND_EXECUTION]: The skill provides instructions for executing various CLI tools as part of the CI/CD pipeline.
- Evidence: Executes the
pgpmutility for database user bootstrapping and integration testing. - Evidence: Executes
pnpmfor package installation, workspace building, and running test suites. - Evidence: Executes
gitcommands for configuration and committing generated SDK changes.
Recommendations
- AI detected serious security threats
Audit Metadata