push-to-registry
Pass
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: LOW
Full Analysis
- [EXTERNAL_DOWNLOADS] (INFO): The GitHub Actions example references 'hashicorp/setup-packer@main'. Per the trust-scope-rule, HashiCorp is a recognized trusted source, and the reference is for standard tool setup.
- [COMMAND_EXECUTION] (INFO): The Packer HCL template utilizes a shell provisioner to run 'sudo apt-get update'. This is standard and expected behavior for machine image preparation within an isolated build environment.
- [CREDENTIALS_UNSAFE] (INFO): The documentation includes instructions for setting sensitive environment variables like 'HCP_CLIENT_SECRET'. It correctly uses placeholders for local configuration and demonstrates the use of GitHub Secrets for CI/CD, which is the recommended secure approach.
Audit Metadata