Skip to content
Infrastructure Security Scan (local repository)

fix: ci only when changed files #1

Sign in to view logs

fix: ci only when changed files

fix: ci only when changed files #1

Triggered via pull request December 31, 2024 15:55
@notdodonotdodo
synchronize #97
fix_ci
Status Success
Total duration 39s
Artifacts

infra-scan.yml

on: pull_request
infra-scan  /  Scan with Kics
32s
infra-scan / Scan with Kics
infra-scan  /  Check Makefile
19s
infra-scan / Check Makefile
Fit to window
Zoom out
Zoom in

Annotations

1 error and 10 warnings
infra-scan / Check Makefile
Process completed with exit code 2.
infra-scan / Check Makefile
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
infra-scan / Scan with Kics
ubuntu-latest pipelines will use ubuntu-24.04 soon. For more details, see https://github.com/actions/runner-images/issues/10636
[HIGH] Docker Socket Mounted In Container: pulumi/docker-compose.yaml#L14
Docker socket docker.sock should not be mounted on host. If the docker socket is mounted, it can allow its processes to execute docker commands.
[HIGH] Passwords And Secrets - Generic Token: .github/workflows/pulumi-preview.yml#L71
Query to find passwords and secrets in infrastructure code.
[HIGH] Passwords And Secrets - Generic Token: .github/workflows/pulumi-up.yml#L63
Query to find passwords and secrets in infrastructure code.
[HIGH] Volume Has Sensitive Host Directory: pulumi/docker-compose.yaml#L14
Container has sensitive host directory mounted as a volume
[MEDIUM] Container Capabilities Unrestricted: pulumi/docker-compose.yaml#L2
Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessary capabilities as well.
[MEDIUM] Healthcheck Not Set: pulumi/docker-compose.yaml#L2
Check containers periodically to see if they are running properly.
[MEDIUM] Security Opt Not Set: pulumi/docker-compose.yaml#L2
Attribute 'security_opt' should be defined.
[LOW] Unpinned Actions Full Length Commit SHA: .github/workflows/rust-ci.yml#L23
Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.