github-actions-cicd

================================================================================

🟡 VERDICT: MEDIUM

This skill describes a GitHub Actions CI/CD workflow. The primary concern is the inclusion of an external, unverified GitHub Action (treosh/lighthouse-ci-action) within the recommended workflow. While the skill itself is a descriptive markdown file (NO_CODE), the workflow it describes involves external dependencies and command execution.

Total Findings: 2

🟡 MEDIUM Findings: • Unverifiable Dependency

• Line 44: The workflow recommends treosh/lighthouse-ci-action@v10. This action is from a personal GitHub account (treosh) and is not part of the explicitly trusted organizations. Its code cannot be fully verified by this analysis, posing a potential supply chain risk if implemented.

🔵 LOW Findings: • External Network Calls

• Line 36, 46: The workflow includes zaproxy/action-baseline@v0.10.0 and treosh/lighthouse-ci-action@v10 which target https://www.hack23.com. While hack23.com appears to be a legitimate site for security/performance auditing, these are external network calls to a domain not explicitly whitelisted for general data transfer. However, given the context of security and performance scanning, this is considered an intended function rather than malicious data exfiltration from the runner.

ℹ️ TRUSTED SOURCE References: • github.com

• Line 29, 33, 37, 52: The workflow uses several GitHub Actions from trusted organizations: actions/checkout@v4, github/codeql-action/init@v3, github/codeql-action/analyze@v3, and aws-actions/configure-aws-credentials@v4. These are considered lower risk due to their origin from well-known, reputable organizations. • zaproxy
• Line 39: The workflow uses zaproxy/action-baseline@v0.10.0. OWASP ZAP is a well-known open-source security project, and its GitHub organization is considered reputable in this context.

================================================================================