📦
監査履歴
reviewdog - 6 監査
監査バージョン 6
最新 高リスクJun 28, 2026, 06:01 AM
Static analysis found many command, network, filesystem, and token patterns. Most are expected for a reviewdog CI integration skill, but the GitLab template includes a confirmed curl-to-shell installer pattern that should be remediated before publication. No prompt injection or confirmed malicious exfiltration intent was found.
7
スキャンされたファイル
2,087
解析された行数
11
検出結果
codex
監査者
高リスクの問題 (1)
Remote Installer Piped Directly To Shell
The GitLab CI template downloads the reviewdog install script over the network and executes it directly with sh. This is a real supply chain risk because CI would execute remote script contents without pinning, checksum verification, or review.
中リスクの問題 (2)
assets/github_actions_template.yml:43assets/github_actions_template.yml:56assets/github_actions_template.yml:70assets/github_actions_template.yml:82assets/github_actions_template.yml:105assets/github_actions_template.yml:121assets/github_actions_template.yml:139
Repository Token Use Requires Least Privilege Controls
The GitHub Actions examples pass repository tokens to reviewdog so it can post pull request comments and checks. This is legitimate for reviewdog, but users must keep permissions minimal and avoid exposing tokens to untrusted pull request code.
SKILL.md:45SKILL.md:54assets/pre_commit_config.yaml:12assets/pre_commit_config.yaml:23assets/pre_commit_config.yaml:42
Shell-Based Scanner Pipelines Run In User Repositories
The skill provides shell pipelines that run scanners and pass results to reviewdog. This matches the skill purpose, but users should review scanner arguments, pinned tool versions, and file write locations before adopting the templates.
低リスクの問題 (3)
references/cwe_mapping.md:21references/cwe_mapping.md:83references/cwe_mapping.md:112references/supported_tools.md:17
Security Keyword Findings Are Documentation Examples
Static analysis flagged weak cryptography, eval, private key, and command injection terms in reference material. These references describe vulnerability classes and scanner coverage, not instructions to perform unsafe actions.
SKILL.md:20-21assets/pre_commit_config.yaml:69assets/pre_commit_config.yaml:81assets/pre_commit_config.yaml:88
Hardcoded URLs Point To Public Documentation And Tool Sources
The hardcoded URL findings are mainly public project, documentation, and pre-commit repository URLs. They do not show data exfiltration endpoints or suspicious callback behavior.
assets/github_actions_template.yml:72assets/github_actions_template.yml:128assets/pre_commit_config.yaml:42references/supported_tools.md:64
Filesystem Access Is Normal Scanner Input And Artifact Handling
Filesystem detections mostly reflect scanner access to repository files, Docker volume mounts, and temporary report files. This behavior is expected for SAST, secret scanning, and linter integrations.
リスク要因
📁 ファイルシステムへのアクセス (23)
assets/github_actions_template.yml:45 assets/github_actions_template.yml:58 assets/github_actions_template.yml:72 assets/github_actions_template.yml:128 assets/github_actions_template.yml:142 assets/gitlab_ci_template.yml:26 assets/gitlab_ci_template.yml:48 assets/gitlab_ci_template.yml:57 assets/gitlab_ci_template.yml:96 assets/gitlab_ci_template.yml:117 assets/gitlab_ci_template.yml:139 assets/gitlab_ci_template.yml:162 assets/gitlab_ci_template.yml:166 assets/pre_commit_config.yaml:12 assets/pre_commit_config.yaml:23 assets/pre_commit_config.yaml:31 assets/pre_commit_config.yaml:42 assets/pre_commit_config.yaml:52 assets/pre_commit_config.yaml:63 assets/pre_commit_config.yaml:42 assets/pre_commit_config.yaml:42 assets/pre_commit_config.yaml:42 references/supported_tools.md:64
🔑 環境変数 (17)
assets/github_actions_template.yml:43 assets/github_actions_template.yml:56 assets/github_actions_template.yml:70 assets/github_actions_template.yml:82 assets/github_actions_template.yml:105 assets/github_actions_template.yml:121 assets/github_actions_template.yml:139 references/cwe_mapping.md:304 references/cwe_mapping.md:331 references/reporter_formats.md:46 references/reporter_formats.md:62 references/reporter_formats.md:159 references/reporter_formats.md:403 references/reporter_formats.md:417 SKILL.md:63 SKILL.md:116 SKILL.md:313
🌐 ネットワークアクセス (29)
assets/gitlab_ci_template.yml:14 assets/pre_commit_config.yaml:69 assets/pre_commit_config.yaml:81 assets/pre_commit_config.yaml:88 references/cwe_mapping.md:345 references/cwe_mapping.md:346 references/cwe_mapping.md:347 references/cwe_mapping.md:348 references/reporter_formats.md:71 references/reporter_formats.md:139 references/reporter_formats.md:245 references/reporter_formats.md:279 references/reporter_formats.md:295 references/reporter_formats.md:455 references/reporter_formats.md:456 references/reporter_formats.md:457 references/supported_tools.md:421 references/supported_tools.md:435 references/supported_tools.md:451 references/supported_tools.md:452 references/supported_tools.md:453 SKILL.md:6 SKILL.md:20 SKILL.md:21 SKILL.md:381 SKILL.md:382 SKILL.md:383 SKILL.md:384 SKILL.md:385
⚡ スクリプトを含む (2)
⚙️ 外部コマンド (219)
references/cwe_mapping.md:48-57 references/cwe_mapping.md:57-97 references/cwe_mapping.md:97-99 references/cwe_mapping.md:99-117 references/cwe_mapping.md:117-119 references/cwe_mapping.md:119-134 references/cwe_mapping.md:134-141 references/cwe_mapping.md:141-156 references/cwe_mapping.md:156-158 references/cwe_mapping.md:158-169 references/cwe_mapping.md:169-171 references/cwe_mapping.md:171-226 references/cwe_mapping.md:226-229 references/cwe_mapping.md:229-246 references/cwe_mapping.md:246-249 references/cwe_mapping.md:249-265 references/cwe_mapping.md:265-268 references/cwe_mapping.md:268-280 references/cwe_mapping.md:280-283 references/cwe_mapping.md:283-289 references/cwe_mapping.md:289-339 references/reporter_formats.md:22 references/reporter_formats.md:23 references/reporter_formats.md:24 references/reporter_formats.md:25 references/reporter_formats.md:26 references/reporter_formats.md:27 references/reporter_formats.md:28 references/reporter_formats.md:29 references/reporter_formats.md:38-40 references/reporter_formats.md:40-43 references/reporter_formats.md:43-47 references/reporter_formats.md:47-50 references/reporter_formats.md:50-51 references/reporter_formats.md:51-59 references/reporter_formats.md:59-65 references/reporter_formats.md:65-71 references/reporter_formats.md:71-74 references/reporter_formats.md:74-76 references/reporter_formats.md:76-90 references/reporter_formats.md:90-92 references/reporter_formats.md:92-95 references/reporter_formats.md:95-96 references/reporter_formats.md:96-105 references/reporter_formats.md:105-114 references/reporter_formats.md:114-117 references/reporter_formats.md:117-121 references/reporter_formats.md:121-132 references/reporter_formats.md:132-134 references/reporter_formats.md:134-137 references/reporter_formats.md:137-142 references/reporter_formats.md:142-145 references/reporter_formats.md:145-154 references/reporter_formats.md:154-162 references/reporter_formats.md:162-171 references/reporter_formats.md:171-173 references/reporter_formats.md:173-189 references/reporter_formats.md:189-191 references/reporter_formats.md:191-194 references/reporter_formats.md:194-197 references/reporter_formats.md:197-206 references/reporter_formats.md:206-209 references/reporter_formats.md:209-218 references/reporter_formats.md:218-220 references/reporter_formats.md:220-223 references/reporter_formats.md:223-226 references/reporter_formats.md:226-235 references/reporter_formats.md:235-237 references/reporter_formats.md:237-240 references/reporter_formats.md:240-246 references/reporter_formats.md:246-258 references/reporter_formats.md:258-259 references/reporter_formats.md:259-260 references/reporter_formats.md:260-261 references/reporter_formats.md:261-262 references/reporter_formats.md:262-263 references/reporter_formats.md:263-264 references/reporter_formats.md:264-265 references/reporter_formats.md:265-266 references/reporter_formats.md:266-267 references/reporter_formats.md:267-268 references/reporter_formats.md:268-269 references/reporter_formats.md:269-275 references/reporter_formats.md:275-310 references/reporter_formats.md:310-313 references/reporter_formats.md:313-314 references/reporter_formats.md:314-315 references/reporter_formats.md:315-318 references/reporter_formats.md:318-320 references/reporter_formats.md:320-330 references/reporter_formats.md:330-343 references/reporter_formats.md:343-351 references/reporter_formats.md:351-373 references/reporter_formats.md:373-379 references/reporter_formats.md:379-425 references/reporter_formats.md:425-442 references/reporter_formats.md:442-448 references/reporter_formats.md:331 references/supported_tools.md:20-22 references/supported_tools.md:22-25 references/supported_tools.md:25-27 references/supported_tools.md:27-30 references/supported_tools.md:30-39 references/supported_tools.md:39-50 references/supported_tools.md:50-52 references/supported_tools.md:52-55 references/supported_tools.md:55-57 references/supported_tools.md:57-60 references/supported_tools.md:60-71 references/supported_tools.md:71-82 references/supported_tools.md:82-84 references/supported_tools.md:84-87 references/supported_tools.md:87-89 references/supported_tools.md:89-92 references/supported_tools.md:92-102 references/supported_tools.md:102-115 references/supported_tools.md:115-121 references/supported_tools.md:121-124 references/supported_tools.md:124-126 references/supported_tools.md:126-129 references/supported_tools.md:129-137 references/supported_tools.md:137-148 references/supported_tools.md:148-150 references/supported_tools.md:150-153 references/supported_tools.md:153-155 references/supported_tools.md:155-168 references/supported_tools.md:168-170 references/supported_tools.md:170-173 references/supported_tools.md:173-175 references/supported_tools.md:175-178 references/supported_tools.md:178-181 references/supported_tools.md:181-192 references/supported_tools.md:192-194 references/supported_tools.md:194-197 references/supported_tools.md:197-199 references/supported_tools.md:199-210 references/supported_tools.md:210-212 references/supported_tools.md:212-215 references/supported_tools.md:215-217 references/supported_tools.md:217-230 references/supported_tools.md:230-232 references/supported_tools.md:232-235 references/supported_tools.md:235-237 references/supported_tools.md:237-254 references/supported_tools.md:254-256 references/supported_tools.md:256-259 references/supported_tools.md:259-261 references/supported_tools.md:261-264 references/supported_tools.md:264-273 references/supported_tools.md:273-286 references/supported_tools.md:286-288 references/supported_tools.md:288-291 references/supported_tools.md:291-293 references/supported_tools.md:293-309 references/supported_tools.md:309-311 references/supported_tools.md:311-314 references/supported_tools.md:314-316 references/supported_tools.md:316-325 references/supported_tools.md:325-327 references/supported_tools.md:327-330 references/supported_tools.md:330-332 references/supported_tools.md:332-342 references/supported_tools.md:342-374 references/supported_tools.md:374-377 references/supported_tools.md:377-379 references/supported_tools.md:379-417 references/supported_tools.md:417-440 references/supported_tools.md:440-443 references/supported_tools.md:443-445 SKILL.md:45-54 SKILL.md:54-58 SKILL.md:58-66 SKILL.md:66-74 SKILL.md:74-83 SKILL.md:83-101 SKILL.md:101-125 SKILL.md:125-128 SKILL.md:128-139 SKILL.md:139-145 SKILL.md:145-157 SKILL.md:157-178 SKILL.md:178-191 SKILL.md:191-192 SKILL.md:192-197 SKILL.md:197-199 SKILL.md:199-200 SKILL.md:200-202 SKILL.md:202-204 SKILL.md:204-205 SKILL.md:205-206 SKILL.md:206-208 SKILL.md:208-210 SKILL.md:210-211 SKILL.md:211-212 SKILL.md:212-213 SKILL.md:213-221 SKILL.md:221-235 SKILL.md:235-241 SKILL.md:241-251 SKILL.md:251-257 SKILL.md:257-263 SKILL.md:263-269 SKILL.md:269-277 SKILL.md:277-312 SKILL.md:312 SKILL.md:312-313 SKILL.md:313 SKILL.md:313-320 SKILL.md:320-321 SKILL.md:321-322 SKILL.md:322-328 SKILL.md:328-337 SKILL.md:337-339 SKILL.md:339-343 SKILL.md:343-345 SKILL.md:345-364 SKILL.md:364-370 SKILL.md:370-377 SKILL.md:222
検出されたパターン
Remote Installer Piped Directly To Shell
監査バージョン 5
安全Jan 16, 2026, 03:58 PM
Documentation-only skill containing CI/CD templates and reference materials for reviewdog security integration. All static findings are false positives from legitimate DevSecOps documentation. The skill describes running security scanners (Semgrep, Bandit, Gitleaks) and posting results to PRs - this is standard, documented CI/CD behavior using properly secured token management via GitHub/GitLab secrets.
8
スキャンされたファイル
2,348
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
監査バージョン 4
安全Jan 16, 2026, 03:58 PM
Documentation-only skill containing CI/CD templates and reference materials for reviewdog security integration. All static findings are false positives from legitimate DevSecOps documentation. The skill describes running security scanners (Semgrep, Bandit, Gitleaks) and posting results to PRs - this is standard, documented CI/CD behavior using properly secured token management via GitHub/GitLab secrets.
8
スキャンされたファイル
2,348
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
監査バージョン 3
安全Jan 10, 2026, 10:55 AM
Documentation and configuration-only skill. Contains YAML templates and reference docs for integrating reviewdog security scanning. No executable scripts present. All described functionality is legitimate DevSecOps tooling.
8
スキャンされたファイル
3,457
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (2)
監査バージョン 2
安全Jan 10, 2026, 10:55 AM
Documentation and configuration-only skill. Contains YAML templates and reference docs for integrating reviewdog security scanning. No executable scripts present. All described functionality is legitimate DevSecOps tooling.
8
スキャンされたファイル
3,457
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (2)
監査バージョン 1
安全Jan 10, 2026, 10:55 AM
Documentation and configuration-only skill. Contains YAML templates and reference docs for integrating reviewdog security scanning. No executable scripts present. All described functionality is legitimate DevSecOps tooling.
8
スキャンされたファイル
3,457
解析された行数
2
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした