ci(docs): Switch agentic workflows from Copilot to Claude engine
1 issue
security-review: Found 1 issue (1 medium)
Medium
Unpinned npm package version allows supply chain attacks - `.github/workflows/docs-codebase-refresh.lock.yml:297`
The workflow installs @anthropic-ai/claude-code@latest without version pinning, allowing any future version to be installed automatically. If the npm package is compromised or a malicious version is published, the CI/CD pipeline would automatically execute it with access to repository secrets (ANTHROPIC_API_KEY, GITHUB_TOKEN). Pin to a specific version with integrity hash verification.
Also found at:
.github/workflows/docs-codebase-update.lock.yml:297
Duration: 8m 52s · Tokens: 1.7M in / 20.4k out · Cost: $2.54 (+extraction: $0.00, +merge: $0.00, +fix_gate: $0.00)
Annotations
Check warning on line 297 in .github/workflows/docs-codebase-refresh.lock.yml
sentry-warden / warden: security-review
Unpinned npm package version allows supply chain attacks
The workflow installs `@anthropic-ai/claude-code@latest` without version pinning, allowing any future version to be installed automatically. If the npm package is compromised or a malicious version is published, the CI/CD pipeline would automatically execute it with access to repository secrets (ANTHROPIC_API_KEY, GITHUB_TOKEN). Pin to a specific version with integrity hash verification.
Check warning on line 297 in .github/workflows/docs-codebase-update.lock.yml
sentry-warden / warden: security-review
[R7U-P2V] Unpinned npm package version allows supply chain attacks (additional location)
The workflow installs `@anthropic-ai/claude-code@latest` without version pinning, allowing any future version to be installed automatically. If the npm package is compromised or a malicious version is published, the CI/CD pipeline would automatically execute it with access to repository secrets (ANTHROPIC_API_KEY, GITHUB_TOKEN). Pin to a specific version with integrity hash verification.