Skip to content

Workflow uses secrets.R2_ACCESS_KEY_ID on a pull_request trigger #10870

Open
Open
Workflow uses secrets.R2_ACCESS_KEY_ID on a pull_request trigger#10870
@repobilitycom

Description

@repobilitycom
repobilitycom
opened on May 20, 2026

Code-quality scan: hcengineering/platform

Score: 70/100 (B) · 98 findings · scanned 2026-05-20 01:59 UTC · 60,404 LOC

Severity Count
CRITICAL 28
HIGH 34
MEDIUM 6
LOW 13

📊 Full filterable report · scorecard

Top findings

  1. CRITICAL MINED018 — Unsafe Deserialization Pickle
    dev/import-tool/src/index.ts:184 · CWE-502 · ✓ Repobility
  2. CRITICAL SEC116 — Ruby YAML.load / Marshal.load on untrusted input
    dev/import-tool/src/index.ts:184 · A08:2021 Software & Data Integrity Failures
  3. CRITICAL SEC079 — Python: yaml.load without SafeLoader
    dev/import-tool/src/index.ts:184 · A05:2021 Security Misconfiguration
  4. CRITICAL MINED116 — Workflow uses secrets.R2_SECRET_ACCESS_KEY on a pull_request trigger
    .github/workflows/main.yml:921 · ✓ Repobility
  5. CRITICAL MINED116 — Workflow uses secrets.R2_ACCESS_KEY_ID on a pull_request trigger
    .github/workflows/main.yml:920 · ✓ Repobility

Security note: this issue is public. If any flagged finding is a real, exploitable vulnerability, please redirect to your SECURITY.md policy or open a private security advisory instead. We're happy to close this and re-submit privately.

Filed automatically. Close this issue if not useful — we won't refile. Full report: https://repobility.com/scan/1a8155c4-002f-4a0f-bd44-ca3a6ed02b15/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions