ci(docs): Switch agentic workflows from Copilot to Claude engine
GitHub Actions / warden
completed
Mar 12, 2026 in 7m 56s
1 issue
Medium
Unpinned npm package version allows supply chain attacks - `.github/workflows/docs-codebase-refresh.lock.yml:297`
The npm install command uses @anthropic-ai/claude-code@latest which installs an unpinned, floating version. If this package is compromised or a malicious version is published, it will be automatically installed in the CI/CD pipeline. This is especially risky because the Claude Code CLI likely executes with significant permissions and can access repository secrets.
Also found at:
.github/workflows/docs-codebase-update.lock.yml:297
4 skills analyzed
| Skill | Findings | Duration | Cost |
|---|---|---|---|
| code-review | 0 | 2m 57s | $2.77 |
| find-bugs | 0 | 7m 21s | $4.91 |
| skill-scanner | 0 | 7m 49s | $1.76 |
| security-review | 1 | 5m 1s | $3.86 |
Duration: 23m 8s · Tokens: 6.3M in / 65.5k out · Cost: $13.30 (+extraction: $0.00, +merge: $0.00, +fix_gate: $0.00, +dedup: $0.00)
Loading