██████╗ ██╗██████╗ ███████╗ ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗
██╔══██╗██║██╔══██╗██╔════╝██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗
██████╔╝██║██████╔╝█████╗  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║
██╔═══╝ ██║██╔═══╝ ██╔══╝  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║
██║     ██║██║     ███████╗╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝
╚═╝     ╚═╝╚═╝     ╚══════╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝

 ██████╗██╗    ██╗ ██████╗██████╗      █████╗ ███╗   ██╗██████╗     ██████╗ ███████╗██╗   ██╗ ██████╗ ██████╗ ███████╗    ███████╗ █████╗ ███████╗███████╗████████╗██╗   ██╗    ███████╗ ██████╗ █████╗ ███╗   ██╗███╗   ██╗███████╗██████╗
██╔════╝██║   ██╔╝██╔════╝██╔══██╗    ██╔══██╗████╗  ██║██╔══██╗    ██╔══██╗██╔════╝██║   ██║██╔═══██╗██╔══██╗██╔════╝    ██╔════╝██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚██╗ ██╔╝    ██╔════╝██╔════╝██╔══██╗████╗  ██║████╗  ██║██╔════╝██╔══██╗
██║     ██║  ██╔╝ ██║     ██║  ██║    ███████║██╔██╗ ██║██║  ██║    ██║  ██║█████╗  ██║   ██║██║   ██║██████╔╝███████╗    ███████╗███████║█████╗  █████╗     ██║    ╚████╔╝     ███████╗██║     ███████║██╔██╗ ██║██╔██╗ ██║█████╗  ██████╔╝
██║     ██║ ██╔╝  ██║     ██║  ██║    ██╔══██║██║╚██╗██║██║  ██║    ██║  ██║██╔══╝  ╚██╗ ██╔╝██║   ██║██╔═══╝ ╚════██║    ╚════██║██╔══██║██╔══╝  ██╔══╝     ██║     ╚██╔╝      ╚════██║██║     ██╔══██║██║╚██╗██║██║╚██╗██║██╔══╝  ██╔══██╗
╚██████╗██║██╔╝   ╚██████╗██████╔╝    ██║  ██║██║ ╚████║██████╔╝    ██████╔╝███████╗ ╚████╔╝ ╚██████╔╝██║     ███████║    ███████║██║  ██║██║     ███████╗   ██║      ██║       ███████║╚██████╗██║  ██║██║ ╚████║██║ ╚████║███████╗██║  ██║
 ╚═════╝╚═╝╚═╝     ╚═════╝╚═════╝     ╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝     ╚═════╝ ╚══════╝  ╚═══╝   ╚═════╝ ╚═╝     ╚══════╝    ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝   ╚═╝      ╚═╝       ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝
track Scanning GitHub Actions workflows
track Scanning Dockerfiles
track Scanning repository health
track Scanning committed secret patterns
track Scanning dependency vulnerabilities
track Collecting Python dependency manifests
track Preparing isolated pip-audit virtual environments
track Virtualenv isolation unavailable, using temporary target directories
track Installing pip-audit into temporary tools directory
track Installing target dependencies from requirements.txt
track Installing target dependencies from requirements.txt
track Installing scanned project into temporary target directory
track Project install failed, continuing with installed requirements
track Running pip-audit against temporary target directory
track Parsing pip-audit advisory results
track Checking Dockerfile package installs
track Scan complete
  Scan complete ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:56
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── PipeGuard Scan Report ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scanned path: /path/to/your-project                                                                                                                                                                                                                  │
│ Findings: 132 | Critical: 61 | High: 30 | Medium: 9 | Low: 32                                                                                                                                                                                                                          │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                                                                                                                                         CRITICAL                                                                                                                                         
┏━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                  ┃ Category ┃ File                                                                                                   ┃ Line ┃ Title                                  ┃ Fix                                                                                        ┃
┡━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/boto3/examples/cloudfront.rst                            │ 25   │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 130  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 280  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 305  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 847  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 870  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 876  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 1403 │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 36   │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 108  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 154  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 172  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 222  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_AWS_ACCESS_KEY │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/sts/2011-06-15/examples-1.json             │ 253  │ AWS access key appears to be committed │ Rotate the credential, remove it from git history, and use short-lived IAM credentials     │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/badcert.pem                        │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/badcert.pem                        │ 19   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/badkey.pem                         │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/badkey.pem                         │ 21   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/keycert.passwd.pem                 │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/keycert.pem                        │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/ssl_key.pem                        │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/keycert2.pem                       │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/future/backports/test/ssl_key.passwd.pem                 │ 1    │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/botocore/data/iam/2010-05-08/examples-1.json             │ 1526 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/oauth2/gdch_credentials.py                        │ 50   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/transport/_mtls_helper.py                    │ 37   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/transport/_mtls_helper.py                    │ 38   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/transport/_mtls_helper.py                    │ 39   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/transport/_mtls_helper.py                    │ 40   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/crypt/_python_rsa.py                         │ 39   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/google/auth/crypt/_python_rsa.py                         │ 40   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/googleapiclient/discovery_cache/documents/appengine.v1b… │ 3369 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/googleapiclient/discovery_cache/documents/appengine.v1a… │ 1584 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/googleapiclient/discovery_cache/documents/appengine.v1.… │ 3140 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/cryptography/hazmat/primitives/serialization/ssh.py      │ 78   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Cipher/test_pkcs1_15.py                  │ 71   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Signature/test_pss.py                    │ 65   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Signature/test_pkcs1_15.py               │ 152  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 190  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1123 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1130 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1378 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1385 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1668 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1674 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1957 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 1965 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 2256 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_ECC.py             │ 2265 │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_RSA.py             │ 81   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_RSA.py             │ 92   │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_RSA.py             │ 108  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_RSA.py             │ 122  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_DSA.py             │ 146  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_DSA.py             │ 208  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_DSA.py             │ 256  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/PublicKey/test_import_DSA.py             │ 296  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Protocol/test_ecdh.py                    │ 154  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Protocol/test_ecdh.py                    │ 155  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Protocol/test_ecdh.py                    │ 157  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
│ SECRET_PRIVATE_KEY    │ secrets  │ .security-target/lib/python3.12/site-packages/Crypto/SelfTest/Protocol/test_ecdh.py                    │ 159  │ Private key appears to be committed    │ Remove the key from the repository, rotate it, and load private keys from a secret manager │
└───────────────────────┴──────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────┴──────┴────────────────────────────────────────┴────────────────────────────────────────────────────────────────────────────────────────────┘
                                                                                                                                           HIGH                                                                                                                                           
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                             ┃ Category ┃ File                                  ┃ Line ┃ Title                                                   ┃ Fix                                                                                                                             ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ GH_ACTION_JOB_WRITE_PERMISSION   │ cicd     │ .github/workflows/release-tag.yml     │ 24   │ Job grants write token permissions                      │ Scope write permissions to the narrowest token permission and only for trusted jobs                                             │
│ GH_ACTION_SECRET_IN_PULL_REQUEST │ cicd     │ .github/workflows/python-security.yml │ 120  │ Workflow references secrets in pull request context     │ Avoid using secrets in untrusted pull request workflows, move secret-dependent jobs to push, workflow_dispatch, or protected    │
│                                  │          │                                       │      │                                                         │ environments                                                                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ .                                     │ -    │ Python package has known vulnerability PYSEC-2022-42986 │ Upgrade certifi to one of the fixed versions: 2022.12.7                                                                         │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ .                                     │ -    │ Python package has known vulnerability PYSEC-2023-135   │ Upgrade certifi to one of the fixed versions: 2023.7.22                                                                         │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ .                                     │ -    │ Python package has known vulnerability PYSEC-2023-135   │ Upgrade certifi to one of the fixed versions: 2023.7.22                                                                         │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ .                                     │ -    │ Python package has known vulnerability PYSEC-2024-230   │ Upgrade certifi to one of the fixed versions: 2024.7.4                                                                          │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ .                                     │ -    │ Python package has known vulnerability PYSEC-2024-230   │ Upgrade certifi to one of the fixed versions: 2024.7.4                                                                          │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 26   │ Python package has known vulnerability PYSEC-2022-42991 │ Upgrade future to one of the fixed versions: 0.18.3                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 10   │ Python package has known vulnerability CVE-2026-41066   │ Upgrade lxml to one of the fixed versions: 6.1.0                                                                                │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-25990   │ Upgrade pillow to one of the fixed versions: 12.1.1                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-40192   │ Upgrade pillow to one of the fixed versions: 12.2.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-42308   │ Upgrade pillow to one of the fixed versions: 12.2.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-42309   │ Upgrade pillow to one of the fixed versions: 12.2.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-42310   │ Upgrade pillow to one of the fixed versions: 12.2.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 20   │ Python package has known vulnerability CVE-2026-42311   │ Upgrade pillow to one of the fixed versions: 12.2.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 40   │ Python package has known vulnerability CVE-2024-3772    │ Upgrade pydantic to one of the fixed versions: 1.10.13, 2.4.0                                                                   │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 16   │ Python package has known vulnerability CVE-2026-25645   │ Upgrade requests to one of the fixed versions: 2.33.0                                                                           │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 17   │ Python package has known vulnerability PYSEC-2023-206   │ Upgrade selenium to one of the fixed versions: 4.14.0                                                                           │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 17   │ Python package has known vulnerability PYSEC-2022-43167 │ Upgrade selenium to one of the fixed versions: 4.0.0                                                                            │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability PYSEC-2023-192   │ Upgrade urllib3 to one of the fixed versions: 1.26.17, 2.0.6                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability PYSEC-2023-192   │ Upgrade urllib3 to one of the fixed versions: 1.26.17, 2.0.6                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability PYSEC-2023-212   │ Upgrade urllib3 to one of the fixed versions: 1.26.18, 2.0.7                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability PYSEC-2023-212   │ Upgrade urllib3 to one of the fixed versions: 1.26.18, 2.0.7                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2024-37891   │ Upgrade urllib3 to one of the fixed versions: 1.26.19, 2.2.2                                                                    │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2025-50181   │ Upgrade urllib3 to one of the fixed versions: 2.5.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2025-66418   │ Upgrade urllib3 to one of the fixed versions: 2.6.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2025-66471   │ Upgrade urllib3 to one of the fixed versions: 2.6.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2026-21441   │ Upgrade urllib3 to one of the fixed versions: 2.6.3                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 18   │ Python package has known vulnerability CVE-2026-44431   │ Upgrade urllib3 to one of the fixed versions: 2.7.0                                                                             │
│ VULN_PYTHON_PACKAGE_VULNERABLE   │ vuln     │ requirements.txt                      │ 28   │ Python package has known vulnerability CVE-2025-68616   │ Upgrade weasyprint to one of the fixed versions: 68.0                                                                           │
└──────────────────────────────────┴──────────┴───────────────────────────────────────┴──────┴─────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
                                                                                                                                 MEDIUM                                                                                                                                  
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                                ┃ Category ┃ File                                                  ┃ Line ┃ Title                                           ┃ Fix                                                                                                 ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                             │ 22   │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                             │ 25   │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                             │ 33   │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                             │ 54   │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/codebuild-preview.yml               │ 44   │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/tag-codebuild-gated.yml             │ 150  │ GitHub Action is not pinned to a commit SHA     │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_WORKFLOW_WRITE_PERMISSION │ cicd     │ .github/workflows/tag-codebuild-gated.yml             │ 33   │ Workflow grants write token permissions         │ Use read-only permissions by default and grant write permissions only to the jobs that require them │
│ DOCKER_LATEST_TAG                   │ docker   │ side-jobs/delete-junk-provider-redis-queue/Dockerfile │ 1    │ Docker image uses latest or implicit latest tag │ Pin the base image to a specific version or digest                                                  │
│ DOCKER_RUNNING_AS_ROOT              │ docker   │ side-jobs/delete-junk-provider-redis-queue/Dockerfile │ -    │ Dockerfile does not switch to a non-root user   │ Create a dedicated non-root user and add USER appuser near the end of the Dockerfile                │
└─────────────────────────────────────┴──────────┴───────────────────────────────────────────────────────┴──────┴─────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────┘
                                                                                                                                           LOW                                                                                                                                            
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                       ┃ Category ┃ File                                                                                         ┃ Line ┃ Title                                    ┃ Fix                                                                                           ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ DOCKER_MISSING_HEALTHCHECK │ docker   │ side-jobs/delete-junk-provider-redis-queue/Dockerfile                                        │ -    │ Dockerfile does not define a healthcheck │ Add a HEALTHCHECK instruction or configure health checks in your orchestrator                 │
│ REPO_LARGE_FILE            │ repo     │ swagger-codegen/swagger-codegen-cli.jar                                                      │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ targets/cyber/geckodriver                                                                    │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/bin/python                                                                  │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/bin/python3.12                                                              │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/bin/python3                                                                 │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/lxml/etree.cpython-312-x86_64-linux-gnu.so     │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/numpy.libs/libscipy_openblas64_-32a4b2a6.so    │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/random_user_agent/data/user_agents.zip         │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/numpy/_core/_multiarray_umath.cpython-312-x86… │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/googleapiclient/discovery_cache/documents/com… │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-target/lib/python3.12/site-packages/cryptography/hazmat/bindings/_rust.abi3.so     │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-tools/bin/python                                                                   │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-tools/bin/python3.10                                                               │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-tools/bin/python3.12                                                               │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_LARGE_FILE            │ repo     │ .security-tools/bin/python3                                                                  │ -    │ Large file found in repository           │ Move large assets to object storage, Git LFS, or release artifacts if appropriate             │
│ REPO_MISSING_ENV_EXAMPLE   │ repo     │ .                                                                                            │ -    │ Repository is missing .env.example       │ Add .env.example with safe placeholder values for required configuration                      │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 2    │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 7    │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 8    │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 9    │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 11   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 12   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 29   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 41   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 43   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 45   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 46   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 47   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 48   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 50   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
│ REPO_REQUIREMENTS_UNPINNED │ repo     │ requirements.txt                                                                             │ 51   │ Python dependency is not fully pinned    │ Pin dependencies for reproducible builds, or use a lockfile generated by uv, pip-tools,       │
│                            │          │                                                                                              │      │                                          │ Poetry, or PDM                                                                                │
└────────────────────────────┴──────────┴──────────────────────────────────────────────────────────────────────────────────────────────┴──────┴──────────────────────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────┘
