docker-ci-cd
Warn
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
================================================================================
🟡 VERDICT: MEDIUM
This skill provides CI/CD pipeline configurations and a shell script for Docker operations. The primary concern is the direct execution of Docker commands within the build-and-push.sh script, which can perform powerful system-level actions. The skill also references numerous external GitHub Actions and Docker images, though these are from trusted sources.
Total Findings: 10
🟡 MEDIUM Findings: • COMMAND_EXECUTION
- scripts/build-and-push.sh (Line 19, 30, 37, 43, 44): The
build-and-push.shscript directly executesdocker build,docker run, anddocker pushcommands. These commands require access to the Docker daemon and can perform powerful operations, including building and running arbitrary images. While this is the intended functionality of a Docker CI/CD skill, it represents a significant command execution capability that should be sandboxed.
ℹ️ TRUSTED SOURCE References: • https://github.com/actions/checkout@v4
- SKILL.md (Line 36): References
actions/checkout@v4, a trusted GitHub Action. • https://github.com/docker/setup-buildx-action@v3 - SKILL.md (Line 39): References
docker/setup-buildx-action@v3, a trusted GitHub Action. • https://github.com/docker/login-action@v3 - SKILL.md (Line 43): References
docker/login-action@v3, a trusted GitHub Action. • https://github.com/docker/metadata-action@v5 - SKILL.md (Line 47): References
docker/metadata-action@v5, a trusted GitHub Action. • https://github.com/docker/build-push-action@v5 - SKILL.md (Line 52): References
docker/build-push-action@v5, a trusted GitHub Action. • https://github.com/aquasecurity/trivy-action@master - SKILL.md (Line 60): References
aquasecurity/trivy-action@master, a trusted GitHub Action. • docker:24, aquasec/trivy - SKILL.md (Line 80, 81, 87): References
docker:24,docker:24-dind, andaquasec/trivyDocker images, which are from trusted sources. • https://github.com/actions/checkout@v4, https://github.com/docker/setup-qemu-action@v3, https://github.com/docker/setup-buildx-action@v3, https://github.com/docker/login-action@v3, https://github.com/docker/metadata-action@v5, https://github.com/docker/build-push-action@v5, https://github.com/aquasecurity/trivy-action@master, https://github.com/github/codeql-action/upload-sarif@v2 - assets/github-actions-docker.yaml (Line 24, 27, 30, 34, 39, 48, 56, 61): References multiple trusted GitHub Actions from official organizations. • https://github.com/docker/build-push-action@v5, https://github.com/docker/setup-qemu-action@v3, https://github.com/docker/setup-buildx-action@v3, https://github.com/aquasecurity/trivy-action@master, https://github.com/snyk/actions/docker@master
- references/CI-CD-GUIDE.md (Line 5, 10, 11, 12, 29, 35): References multiple trusted GitHub Actions from official organizations.
================================================================================
Audit Metadata