r12habh opened a new pull request, #16618: URL: https://github.com/apache/iceberg/pull/16618
## What Adds a lightweight ActionScope workflow to scan GitHub Actions, Terraform, and IAM/policy JSON changes for CI/CD security exposure. The workflow is intentionally conservative: - runs only when workflow/action/IaC/policy files change, plus manual dispatch - uses only `contents: read` - does not call AWS APIs or require cloud credentials - pins `actions/checkout` to a full commit SHA - installs `actionscope>=0.3.5,<1.0` from PyPI - fails only on `critical` findings, so the current non-critical findings do not block CI ## Why I ran ActionScope locally against this repository and it found enough workflow-level signal to make a recurring check useful. ```text Workflows scanned: 21 AWS credential sources: 0 Overall risk: HIGH Critical: 0 | High: 2 | Medium: 1 | Low: 26 ``` Notable current signal: - ActionScope detected write-capable token permissions, including PR write permissions and a site deployment with contents write. - No critical findings were detected with the current scanner. Because this uses `--fail-on critical`, this PR should add visibility without changing the current pass/fail posture. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
