Skip to main content
Run any Skill in Manus
with one click

cicd-and-pipeline-injection

Stars2
Forks1
UpdatedJuly 9, 2026 at 12:42

SAST detection methodology for CI/CD and pipeline injection (CWE-94, CWE-78), covering GitHub Actions script injection via ${{ github.event.* }} in run: steps, pull_request_target checkout of untrusted PR head with secrets, self-hosted runner and cache poisoning, over-privileged GITHUB_TOKEN, unpinned third-party actions, forked-PR secret exfiltration, GitLab CI / Jenkinsfile injection, and insecure OIDC trust policies. Use when reviewing .github/workflows/*.yml, .gitlab-ci.yml, or Jenkinsfile. Writes confirmed findings to findings/35-cicd-and-pipeline-injection.md.

Installation

Install with Codex or Claude Copy this prompt, paste it into Codex, Claude, or another assistant, and let it review the skill page and install it for you.

SKILL.md
readonly