dotnet-gha-deploy
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill provides a template for manual rollbacks that directly interpolates user-provided strings (inputs.version) into a shell script, creating a command injection vulnerability surface.
- Ingestion points: inputs.version in the manual rollback workflow dispatch trigger.
- Boundary markers: None used to encapsulate the interpolated value.
- Capability inventory: Execution of arbitrary bash commands in the GitHub Actions runner.
- Sanitization: None; inputs are not mapped to environment variables before use in the shell script.
- [EXTERNAL_DOWNLOADS]: Fetches GitHub Actions from trusted organizations including Microsoft, Docker, and GitHub, and installs documentation tools from the official .NET tool registry.
- [COMMAND_EXECUTION]: Utilizes legitimate command-line tools such as dotnet, docker, and az to perform build and deployment tasks.
- [CREDENTIALS_UNSAFE]: Correctly identifies and promotes the use of OIDC (OpenID Connect) for Azure authentication to avoid hardcoding long-lived secrets.
Audit Metadata