github_actions_cicd
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill configures several shell commands for quality gates, including
ruff,mypy,bandit,safety, andpytest. These are industry-standard tools for static analysis, security linting, and testing within a CI/CD environment. - [EXTERNAL_DOWNLOADS]: The workflow template references official GitHub Actions (
actions/checkout,actions/setup-python) and a security scanner from Aqua Security (aquasecurity/trivy-action). These are sourced from well-known and trusted organizations. - [DATA_EXFILTRATION]: The documentation mentions the use of GitHub Secrets (
REGISTRY_TOKEN,KUBECONFIG,VAULT_TOKEN) as a security best practice for managing sensitive credentials rather than hardcoding them. - [INDIRECT_PROMPT_INJECTION]: As a CI/CD template, the pipeline is designed to process untrusted code from Pull Requests.
- Ingestion points: Pull request code changes and dependency files (
requirements-dev.txt). - Boundary markers: Execution occurs within isolated GitHub Actions runners.
- Capability inventory: Subprocess execution via
runsteps and Docker container orchestration. - Sanitization: The skill explicitly includes security mitigation tools like
bandit(static analysis for Python),safety(dependency vulnerability checking), andtrivy(container image scanning) to identify and block malicious or vulnerable code before it is merged.
Audit Metadata