██████╗ ██╗██████╗ ███████╗ ██████╗ ██╗   ██╗ █████╗ ██████╗ ██████╗
██╔══██╗██║██╔══██╗██╔════╝██╔════╝ ██║   ██║██╔══██╗██╔══██╗██╔══██╗
██████╔╝██║██████╔╝█████╗  ██║  ███╗██║   ██║███████║██████╔╝██║  ██║
██╔═══╝ ██║██╔═══╝ ██╔══╝  ██║   ██║██║   ██║██╔══██║██╔══██╗██║  ██║
██║     ██║██║     ███████╗╚██████╔╝╚██████╔╝██║  ██║██║  ██║██████╔╝
╚═╝     ╚═╝╚═╝     ╚══════╝ ╚═════╝  ╚═════╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚═════╝

 ██████╗██╗    ██╗ ██████╗██████╗      █████╗ ███╗   ██╗██████╗     ██████╗ ███████╗██╗   ██╗ ██████╗ ██████╗ ███████╗    ███████╗ █████╗ ███████╗███████╗████████╗██╗   ██╗    ███████╗ ██████╗ █████╗ ███╗   ██╗███╗   ██╗███████╗██████╗
██╔════╝██║   ██╔╝██╔════╝██╔══██╗    ██╔══██╗████╗  ██║██╔══██╗    ██╔══██╗██╔════╝██║   ██║██╔═══██╗██╔══██╗██╔════╝    ██╔════╝██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚██╗ ██╔╝    ██╔════╝██╔════╝██╔══██╗████╗  ██║████╗  ██║██╔════╝██╔══██╗
██║     ██║  ██╔╝ ██║     ██║  ██║    ███████║██╔██╗ ██║██║  ██║    ██║  ██║█████╗  ██║   ██║██║   ██║██████╔╝███████╗    ███████╗███████║█████╗  █████╗     ██║    ╚████╔╝     ███████╗██║     ███████║██╔██╗ ██║██╔██╗ ██║█████╗  ██████╔╝
██║     ██║ ██╔╝  ██║     ██║  ██║    ██╔══██║██║╚██╗██║██║  ██║    ██║  ██║██╔══╝  ╚██╗ ██╔╝██║   ██║██╔═══╝ ╚════██║    ╚════██║██╔══██║██╔══╝  ██╔══╝     ██║     ╚██╔╝      ╚════██║██║     ██╔══██║██║╚██╗██║██║╚██╗██║██╔══╝  ██╔══██╗
╚██████╗██║██╔╝   ╚██████╗██████╔╝    ██║  ██║██║ ╚████║██████╔╝    ██████╔╝███████╗ ╚████╔╝ ╚██████╔╝██║     ███████║    ███████║██║  ██║██║     ███████╗   ██║      ██║       ███████║╚██████╗██║  ██║██║ ╚████║██║ ╚████║███████╗██║  ██║
 ╚═════╝╚═╝╚═╝     ╚═════╝╚═════╝     ╚═╝  ╚═╝╚═╝  ╚═══╝╚═════╝     ╚═════╝ ╚══════╝  ╚═══╝   ╚═════╝ ╚═╝     ╚══════╝    ╚══════╝╚═╝  ╚═╝╚═╝     ╚══════╝   ╚═╝      ╚═╝       ╚══════╝ ╚═════╝╚═╝  ╚═╝╚═╝  ╚═══╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝
track Scanning GitHub Actions workflows
track Scan complete
  Scan complete ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
╭──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── PipeGuard Scan Report ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Scanned path: /path/to/your-project                                                                                                                                                                                                               │
│ Findings: 9 | Critical: 0 | High: 2 | Medium: 7 | Low: 0                                                                                                                                                                                                                               │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
                                                                                                                                           HIGH                                                                                                                                           
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                             ┃ Category ┃ File                                  ┃ Line ┃ Title                                               ┃ Fix                                                                                                                                 ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ GH_ACTION_JOB_WRITE_PERMISSION   │ cicd     │ .github/workflows/release-tag.yml     │ 24   │ Job grants write token permissions                  │ Scope write permissions to the narrowest token permission and only for trusted jobs                                                 │
│ GH_ACTION_SECRET_IN_PULL_REQUEST │ cicd     │ .github/workflows/python-security.yml │ 120  │ Workflow references secrets in pull request context │ Avoid using secrets in untrusted pull request workflows, move secret-dependent jobs to push, workflow_dispatch, or protected        │
│                                  │          │                                       │      │                                                     │ environments                                                                                                                        │
└──────────────────────────────────┴──────────┴───────────────────────────────────────┴──────┴─────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
                                                                                                                         MEDIUM                                                                                                                          
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Rule                                ┃ Category ┃ File                                      ┃ Line ┃ Title                                       ┃ Fix                                                                                                 ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                 │ 22   │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                 │ 25   │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                 │ 33   │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/aws.yml                 │ 54   │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/codebuild-preview.yml   │ 44   │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_UNPINNED_ACTION           │ cicd     │ .github/workflows/tag-codebuild-gated.yml │ 150  │ GitHub Action is not pinned to a commit SHA │ Pin third-party GitHub Actions to a full commit SHA to reduce supply-chain risk                     │
│ GH_ACTION_WORKFLOW_WRITE_PERMISSION │ cicd     │ .github/workflows/tag-codebuild-gated.yml │ 33   │ Workflow grants write token permissions     │ Use read-only permissions by default and grant write permissions only to the jobs that require them │
└─────────────────────────────────────┴──────────┴───────────────────────────────────────────┴──────┴─────────────────────────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────┘

