[oblt-aw][security] SEC-030 — findings (2026-05-09)

## Security findings (SEC-030)

**Analysis date:** 2026-05-09
**Occurrences:** 54

### Details

1. **`.github/workflows/ci.yml`** — line **29** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

2. **`.github/workflows/ci.yml`** — line **41** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

3. **`.github/workflows/ci.yml`** — line **44** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

4. **`.github/workflows/ci.yml`** — line **49** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

5. **`.github/workflows/ci.yml`** — line **70** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

6. **`.github/workflows/ci.yml`** — line **73** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

7. **`.github/workflows/ci.yml`** — line **95** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

8. **`.github/workflows/ci.yml`** — line **126** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

9. **`.github/workflows/distribute-client-workflow.yml`** — line **37** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

10. **`.github/workflows/distribute-client-workflow.yml`** — line **44** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

11. **`.github/workflows/distribute-client-workflow.yml`** — line **51** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

12. **`.github/workflows/distribute-client-workflow.yml`** — line **95** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

13. **`.github/workflows/distribute-client-workflow.yml`** — line **101** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

14. **`.github/workflows/distribute-client-workflow.yml`** — line **106** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

15. **`.github/workflows/distribute-client-workflow.yml`** — line **197** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

16. **`.github/workflows/distribute-client-workflow.yml`** — line **209** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

17. **`.github/workflows/distribute-client-workflow.yml`** — line **212** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

18. **`.github/workflows/get-enabled-workflows.yml`** — line **32** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

19. **`.github/workflows/get-enabled-workflows.yml`** — line **45** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

20. **`.github/workflows/gh-aw-agent-suggestions.yml`** — line **16** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

21. **`.github/workflows/gh-aw-autodoc.yml`** — line **18** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

22. **`.github/workflows/gh-aw-autodoc.yml`** — line **52** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

23. **`.github/workflows/gh-aw-automerge.yml`** — line **29** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

24. **`.github/workflows/gh-aw-automerge.yml`** — line **37** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

25. **`.github/workflows/gh-aw-automerge.yml`** — line **49** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

26. **`.github/workflows/gh-aw-automerge.yml`** — line **74** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

27. **`.github/workflows/gh-aw-automerge.yml`** — line **140** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

28. **`.github/workflows/gh-aw-dependency-review.yml`** — line **24** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

29. **`.github/workflows/gh-aw-dependency-review.yml`** — line **74** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

30. **`.github/workflows/gh-aw-dependency-review.yml`** — line **77** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

31. **`.github/workflows/gh-aw-duplicate-issue-detector.yml`** — line **17** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

32. **`.github/workflows/gh-aw-issue-fixer.yml`** — line **22** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

33. **`.github/workflows/gh-aw-issue-triage.yml`** — line **18** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

34. **`.github/workflows/gh-aw-mention-in-issue.yml`** — line **20** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

35. **`.github/workflows/gh-aw-resource-not-accessible-by-integration-detector.yml`** — line **36** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

36. **`.github/workflows/gh-aw-resource-not-accessible-by-integration-fixer.yml`** — line **22** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

37. **`.github/workflows/gh-aw-resource-not-accessible-by-integration-triage.yml`** — line **27** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

38. **`.github/workflows/gh-aw-resource-not-accessible-by-integration-triage.yml`** — line **232** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

39. **`.github/workflows/gh-aw-resource-not-accessible-by-integration-triage.yml`** — line **235** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

40. **`.github/workflows/gh-aw-security-detector.yml`** — line **19** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

41. **`.github/workflows/gh-aw-security-detector.yml`** — line **25** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

42. **`.github/workflows/gh-aw-security-detector.yml`** — line **36** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

43. **`.github/workflows/gh-aw-security-detector.yml`** — line **51** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

44. **`.github/workflows/gh-aw-security-fixer.yml`** — line **22** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses) | zizmor [secrets-inherit]: secrets unconditionally inherited by called workflow (https://docs.zizmor.sh/audits/#secrets-inherit)

45. **`.github/workflows/gh-aw-security-triage.yml`** — line **26** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

46. **`.github/workflows/gh-aw-security-triage.yml`** — line **121** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

47. **`.github/workflows/gh-aw-security-triage.yml`** — line **124** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

48. **`.github/workflows/load-allowed-authors.yml`** — line **37** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

49. **`.github/workflows/oblt-aw.yml`** — line **27** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

50. **`.github/workflows/sync-control-plane-dashboard.yml`** — line **30** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

51. **`.github/workflows/sync-control-plane-dashboard.yml`** — line **33** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

52. **`.github/workflows/sync-control-plane-dashboard.yml`** — line **65** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

53. **`.github/workflows/sync-control-plane-dashboard.yml`** — line **69** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

54. **`.github/workflows/sync-control-plane-dashboard.yml`** — line **74** — **medium** — zizmor [unpinned-uses]: unpinned action reference (https://docs.zizmor.sh/audits/#unpinned-uses)

---
*Generated by oblt-aw security detector. Rules: [security-scanning-ruleset](https://github.com/elastic/oblt-aw/blob/main/docs/workflows/security-scanning-ruleset.md) (SEC-001–SEC-044, aligned with [observability-robots#3758](https://github.com/elastic/observability-robots/issues/3758)).*


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[oblt-aw][security] SEC-030 — findings (2026-05-09) #830

Security findings (SEC-030)

Details

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

[oblt-aw][security] SEC-030 — findings (2026-05-09) #830

Description

Security findings (SEC-030)

Details

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions