Pwn request (pull_request_target checkout of fork head) | T1195.001 | CWE-269 | references/pipeline-poisoning.md | scripts/workflow_auditor.py |
Script injection (${{ github.event.* }} into run:) | T1059 | CWE-94 | references/pipeline-poisoning.md | scripts/workflow_auditor.py |
| Direct / Indirect PPE (workflow or build-file modification) | T1195.001 | CWE-913 | references/pipeline-poisoning.md | scripts/workflow_auditor.py |
GitLab .gitlab-ci.yml poisoning / pipeline-as-user (CVE-2024-6678) | T1648 | CWE-863 | references/pipeline-poisoning.md | scripts/workflow_auditor.py |
| Compromised Action via mutable tag (CVE-2025-30066 tj-actions) | T1195.001 | CWE-494 | references/action-dependency-compromise.md | scripts/malicious_action_scanner.py |
| Transitive Action compromise (CVE-2025-30154 reviewdog) | T1195.001 | CWE-1357 | references/action-dependency-compromise.md | scripts/malicious_action_scanner.py |
| Actions cache poisoning (cross-workflow escalation) | T1525 | CWE-349 | references/action-dependency-compromise.md | scripts/malicious_action_scanner.py |
| Dependency confusion (internal name on public registry) | T1195.002 | CWE-427 | references/package-registry-attacks.md | scripts/dependency_confusion.py |
| Typo / slopsquatting + malicious install hook | T1195.002 | CWE-829 | references/package-registry-attacks.md | scripts/dependency_confusion.py |
| Self-replicating registry worm (Shai-Hulud npm) | T1195.002 | CWE-829 | references/package-registry-attacks.md | scripts/malicious_action_scanner.py |
| Self-hosted / non-ephemeral runner abuse & backdoor | T1199 | CWE-668 | references/runner-attacks.md | scripts/runner_recon.sh |
Jenkins Script Console RCE (/script, CVE-2024-23897) | T1648 | CWE-306 | references/runner-attacks.md | scripts/runner_recon.sh |
CI secret exfiltration (toJSON(secrets), GhostAction) | T1552.004 | CWE-522 | references/secrets-oidc-abuse.md | scripts/oidc_trust_auditor.py |
OIDC trust-policy abuse (missing/* sub, wrong org wildcard) | T1078.004 | CWE-1390 | references/secrets-oidc-abuse.md | scripts/oidc_trust_auditor.py |
| Build provenance / signing gate validation (defense) | T1195 | CWE-347 | references/build-integrity-defense.md | scripts/provenance_verify.sh |