📦
監査履歴
sbom-syft - 6 監査
監査バージョン 6
最新 中リスクJun 28, 2026, 06:14 AM
Static analysis reported many command, network, environment, filesystem, and script patterns. Review found no malicious intent or prompt injection; most findings are documentation examples or CI templates. Two template patterns remain risky if copied into production without hardening: remote script execution through curl to bash and plaintext registry credential examples.
5
スキャンされたファイル
2,012
解析された行数
10
検出結果
codex
監査者
中リスクの問題 (2)
Remote Installer Piped to Shell in CI Template
The CI template downloads a tfsec install script from a remote URL and pipes it directly to bash. This appears to be a legitimate IaC scanning example, but it creates supply chain execution risk if users copy it without version pinning or integrity verification.
Plaintext Registry Credential Example
The Syft configuration example shows registry authentication with username and password fields in a .syft.yaml file. The values are placeholders, not real secrets, but users could copy the pattern into a committed repository and expose registry credentials.
低リスクの問題 (3)
Static Command Findings Are Mostly Tutorial Commands
Most external command findings are markdown examples for running Syft, Docker, Grype, cosign, jq, or CI scanners. They are not hidden execution logic inside the skill runtime, but users should still review commands before running them.
Vulnerable Code Snippets Are Intentional Examples
Script, secret, weak cryptography, C2 keyword, and injection findings in rule and reference files are intentional vulnerable examples or framework mappings. They support security education and rule templates rather than operational malicious behavior.
GitHub Token Access Is Scoped to a Secrets Scanner Action
The GitHub token pattern appears in a Gitleaks CI action environment block. It uses GitHub Actions secrets syntax for a scanner integration and is not a hardcoded credential in the repository.
リスク要因
⚙️ 外部コマンド (3)
📁 ファイルシステムへのアクセス (3)
🔑 環境変数 (3)
⚡ スクリプトを含む (2)
検出されたパターン
Pipe to Shell Installation PatternPlaintext Credential Configuration Pattern
監査バージョン 5
安全Jan 16, 2026, 04:08 PM
Documentation-only skill providing SBOM generation guidance using Syft CLI tool. No executable code exists in this skill. Static scanner flagged patterns within markdown documentation and YAML templates containing example commands, CI/CD workflows, and security rule templates. All findings are false positives since this skill only contains documentation and templates for legitimate supply chain security workflows.
6
スキャンされたファイル
2,228
解析された行数
5
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (110)
assets/ci-config-template.yml:298 assets/ci-config-template.yml:301 assets/ci-config-template.yml:304 assets/ci-config-template.yml:307 assets/ci-config-template.yml:310 assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 references/EXAMPLE.md:54-74 references/EXAMPLE.md:74-95 references/EXAMPLE.md:95-108 references/EXAMPLE.md:108-111 references/EXAMPLE.md:111-118 references/EXAMPLE.md:118-122 references/EXAMPLE.md:122-129 references/EXAMPLE.md:129-135 references/EXAMPLE.md:135-151 references/EXAMPLE.md:151-154 references/EXAMPLE.md:154-162 references/EXAMPLE.md:162-296 references/EXAMPLE.md:296-306 references/EXAMPLE.md:306-309 references/EXAMPLE.md:309-318 references/EXAMPLE.md:318-333 references/EXAMPLE.md:333-342 references/EXAMPLE.md:342-346 references/EXAMPLE.md:346-354 references/EXAMPLE.md:354-358 references/EXAMPLE.md:358-361 references/EXAMPLE.md:361-371 references/EXAMPLE.md:371-404 references/EXAMPLE.md:404-414 references/EXAMPLE.md:414-447 references/EXAMPLE.md:447-451 references/EXAMPLE.md:451-472 references/EXAMPLE.md:472-476 references/EXAMPLE.md:476-537 references/WORKFLOW_CHECKLIST.md:74 SKILL.md:41-52 SKILL.md:52-62 SKILL.md:62-64 SKILL.md:64-66 SKILL.md:66-71 SKILL.md:71-95 SKILL.md:95-97 SKILL.md:97-100 SKILL.md:100-109 SKILL.md:109-111 SKILL.md:111-113 SKILL.md:113-115 SKILL.md:115-131 SKILL.md:131-139 SKILL.md:139-141 SKILL.md:141-143 SKILL.md:143-145 SKILL.md:145-147 SKILL.md:147-149 SKILL.md:149-151 SKILL.md:151-160 SKILL.md:160-161 SKILL.md:161-162 SKILL.md:162-163 SKILL.md:163-164 SKILL.md:164-165 SKILL.md:165-166 SKILL.md:166-167 SKILL.md:167-169 SKILL.md:169-170 SKILL.md:170-172 SKILL.md:172-176 SKILL.md:176-178 SKILL.md:178-209 SKILL.md:209-217 SKILL.md:217-224 SKILL.md:224-230 SKILL.md:230-243 SKILL.md:243-249 SKILL.md:249-258 SKILL.md:258-264 SKILL.md:264-272 SKILL.md:272-278 SKILL.md:278-290 SKILL.md:290-305 SKILL.md:305-318 SKILL.md:318-321 SKILL.md:321-329 SKILL.md:329-332 SKILL.md:332-339 SKILL.md:339-345 SKILL.md:345-349 SKILL.md:349-355 SKILL.md:355-361 SKILL.md:361-369 SKILL.md:369-379 SKILL.md:379-385 SKILL.md:385-391 SKILL.md:391-397 SKILL.md:397-404 SKILL.md:404-411 SKILL.md:411-413 SKILL.md:413-420 SKILL.md:420-424 SKILL.md:424-429 SKILL.md:429-438 SKILL.md:438-443 SKILL.md:443-448 SKILL.md:448-454 SKILL.md:454-466 SKILL.md:43 SKILL.md:41-52
🌐 ネットワークアクセス (24)
assets/ci-config-template.yml:240 assets/rule-template.yaml:43 assets/rule-template.yaml:44 assets/rule-template.yaml:45 assets/rule-template.yaml:73 assets/rule-template.yaml:118 assets/rule-template.yaml:119 assets/rule-template.yaml:151 assets/rule-template.yaml:191 assets/rule-template.yaml:192 assets/rule-template.yaml:193 assets/rule-template.yaml:217 assets/rule-template.yaml:260 assets/rule-template.yaml:261 assets/rule-template.yaml:288 SKILL.md:19 SKILL.md:20 SKILL.md:136 SKILL.md:487 SKILL.md:488 SKILL.md:489 SKILL.md:490 SKILL.md:491 SKILL.md:492
📁 ファイルシステムへのアクセス (4)
🔑 環境変数 (27)
assets/ci-config-template.yml:164 assets/ci-config-template.yml:164 assets/rule-template.yaml:148 assets/rule-template.yaml:148 assets/rule-template.yaml:147 assets/rule-template.yaml:162 assets/rule-template.yaml:132 assets/rule-template.yaml:147 assets/rule-template.yaml:148 assets/rule-template.yaml:156 assets/rule-template.yaml:157 assets/rule-template.yaml:162 assets/rule-template.yaml:162 assets/rule-template.yaml:163 assets/rule-template.yaml:164 assets/rule-template.yaml:165 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:424 references/EXAMPLE.md:425 references/EXAMPLE.md:427 references/EXAMPLE.md:430 references/EXAMPLE.md:432 references/EXAMPLE.md:437 references/EXAMPLE.md:437 references/EXAMPLE.md:444
⚡ スクリプトを含む (2)
監査バージョン 4
安全Jan 16, 2026, 04:08 PM
Documentation-only skill providing SBOM generation guidance using Syft CLI tool. No executable code exists in this skill. Static scanner flagged patterns within markdown documentation and YAML templates containing example commands, CI/CD workflows, and security rule templates. All findings are false positives since this skill only contains documentation and templates for legitimate supply chain security workflows.
6
スキャンされたファイル
2,228
解析された行数
5
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
リスク要因
⚙️ 外部コマンド (110)
assets/ci-config-template.yml:298 assets/ci-config-template.yml:301 assets/ci-config-template.yml:304 assets/ci-config-template.yml:307 assets/ci-config-template.yml:310 assets/ci-config-template.yml:134 assets/ci-config-template.yml:250 assets/ci-config-template.yml:291 references/EXAMPLE.md:54-74 references/EXAMPLE.md:74-95 references/EXAMPLE.md:95-108 references/EXAMPLE.md:108-111 references/EXAMPLE.md:111-118 references/EXAMPLE.md:118-122 references/EXAMPLE.md:122-129 references/EXAMPLE.md:129-135 references/EXAMPLE.md:135-151 references/EXAMPLE.md:151-154 references/EXAMPLE.md:154-162 references/EXAMPLE.md:162-296 references/EXAMPLE.md:296-306 references/EXAMPLE.md:306-309 references/EXAMPLE.md:309-318 references/EXAMPLE.md:318-333 references/EXAMPLE.md:333-342 references/EXAMPLE.md:342-346 references/EXAMPLE.md:346-354 references/EXAMPLE.md:354-358 references/EXAMPLE.md:358-361 references/EXAMPLE.md:361-371 references/EXAMPLE.md:371-404 references/EXAMPLE.md:404-414 references/EXAMPLE.md:414-447 references/EXAMPLE.md:447-451 references/EXAMPLE.md:451-472 references/EXAMPLE.md:472-476 references/EXAMPLE.md:476-537 references/WORKFLOW_CHECKLIST.md:74 SKILL.md:41-52 SKILL.md:52-62 SKILL.md:62-64 SKILL.md:64-66 SKILL.md:66-71 SKILL.md:71-95 SKILL.md:95-97 SKILL.md:97-100 SKILL.md:100-109 SKILL.md:109-111 SKILL.md:111-113 SKILL.md:113-115 SKILL.md:115-131 SKILL.md:131-139 SKILL.md:139-141 SKILL.md:141-143 SKILL.md:143-145 SKILL.md:145-147 SKILL.md:147-149 SKILL.md:149-151 SKILL.md:151-160 SKILL.md:160-161 SKILL.md:161-162 SKILL.md:162-163 SKILL.md:163-164 SKILL.md:164-165 SKILL.md:165-166 SKILL.md:166-167 SKILL.md:167-169 SKILL.md:169-170 SKILL.md:170-172 SKILL.md:172-176 SKILL.md:176-178 SKILL.md:178-209 SKILL.md:209-217 SKILL.md:217-224 SKILL.md:224-230 SKILL.md:230-243 SKILL.md:243-249 SKILL.md:249-258 SKILL.md:258-264 SKILL.md:264-272 SKILL.md:272-278 SKILL.md:278-290 SKILL.md:290-305 SKILL.md:305-318 SKILL.md:318-321 SKILL.md:321-329 SKILL.md:329-332 SKILL.md:332-339 SKILL.md:339-345 SKILL.md:345-349 SKILL.md:349-355 SKILL.md:355-361 SKILL.md:361-369 SKILL.md:369-379 SKILL.md:379-385 SKILL.md:385-391 SKILL.md:391-397 SKILL.md:397-404 SKILL.md:404-411 SKILL.md:411-413 SKILL.md:413-420 SKILL.md:420-424 SKILL.md:424-429 SKILL.md:429-438 SKILL.md:438-443 SKILL.md:443-448 SKILL.md:448-454 SKILL.md:454-466 SKILL.md:43 SKILL.md:41-52
🌐 ネットワークアクセス (24)
assets/ci-config-template.yml:240 assets/rule-template.yaml:43 assets/rule-template.yaml:44 assets/rule-template.yaml:45 assets/rule-template.yaml:73 assets/rule-template.yaml:118 assets/rule-template.yaml:119 assets/rule-template.yaml:151 assets/rule-template.yaml:191 assets/rule-template.yaml:192 assets/rule-template.yaml:193 assets/rule-template.yaml:217 assets/rule-template.yaml:260 assets/rule-template.yaml:261 assets/rule-template.yaml:288 SKILL.md:19 SKILL.md:20 SKILL.md:136 SKILL.md:487 SKILL.md:488 SKILL.md:489 SKILL.md:490 SKILL.md:491 SKILL.md:492
📁 ファイルシステムへのアクセス (4)
🔑 環境変数 (27)
assets/ci-config-template.yml:164 assets/ci-config-template.yml:164 assets/rule-template.yaml:148 assets/rule-template.yaml:148 assets/rule-template.yaml:147 assets/rule-template.yaml:162 assets/rule-template.yaml:132 assets/rule-template.yaml:147 assets/rule-template.yaml:148 assets/rule-template.yaml:156 assets/rule-template.yaml:157 assets/rule-template.yaml:162 assets/rule-template.yaml:162 assets/rule-template.yaml:163 assets/rule-template.yaml:164 assets/rule-template.yaml:165 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:423 references/EXAMPLE.md:424 references/EXAMPLE.md:425 references/EXAMPLE.md:427 references/EXAMPLE.md:430 references/EXAMPLE.md:432 references/EXAMPLE.md:437 references/EXAMPLE.md:437 references/EXAMPLE.md:444
⚡ スクリプトを含む (2)
監査バージョン 3
安全Jan 10, 2026, 11:00 AM
Documentation-only skill providing SBOM generation guidance using Syft. No executable scripts, no network calls, no file system access, and no external commands. Pure informational content teaching users how to use the Syft CLI tool for supply chain security.
6
スキャンされたファイル
2,012
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
監査バージョン 2
安全Jan 10, 2026, 11:00 AM
Documentation-only skill providing SBOM generation guidance using Syft. No executable scripts, no network calls, no file system access, and no external commands. Pure informational content teaching users how to use the Syft CLI tool for supply chain security.
6
スキャンされたファイル
2,012
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした
監査バージョン 1
安全Jan 10, 2026, 11:00 AM
Documentation-only skill providing SBOM generation guidance using Syft. No executable scripts, no network calls, no file system access, and no external commands. Pure informational content teaching users how to use the Syft CLI tool for supply chain security.
6
スキャンされたファイル
2,012
解析された行数
0
検出結果
claude
監査者
セキュリティ問題は見つかりませんでした