FixVibe

// code / spotlight

Repo Security Hygiene

Branch protection, action pinning, secret hygiene — how your repo is run matters more than the code.

Il gancio

Modern attacks target the build pipeline more than the code, because the build pipeline holds the secrets and turns commits into deploys. The 2023 PyPI typosquatting waves, the 2022 GitHub OAuth integration breach, the recurring 'malicious GitHub Action' incidents, the colors.js and ua-parser-js sabotages — each one rode a supply-chain weakness more than a code-level bug. Repo security hygiene is unglamorous and unforgiving: branch protection on `main`, exact-SHA pinning on third-party Actions, secret-handling discipline in workflows, signed commits where it matters. None of it is novel; all of it is how you avoid being the next post-mortem.

Come funziona

Common defect classes. The most dangerous: `pull_request_target` workflows that check out the head ref of the PR and execute build/test scripts. `pull_request_target` runs in the context of the base branch with full access to the repo's secrets — a malicious fork PR can extract secrets, push commits, or backdoor the CI. Third-party Actions referenced by tag (`uses: foo/bar@v1`): the tag is mutable, the upstream maintainer (or anyone who compromises the maintainer's account) can move it to point at compromised code. Secrets echoed in workflow logs: GitHub redacts known secret values from logs but only as exact substring matches; base64-encoded or partially-modified versions slip through. Unprotected default branches: any contributor with write access can rewrite history or merge unreviewed code straight to main.

Le varianti

pull_request_target with head checkout

The single most-exploited supply-chain vector in GitHub Actions. Malicious PR runs in privileged context. CVE-class incidents have come from this exact pattern.

Unpinned third-party Actions

`uses: foo/bar@v1` instead of `uses: foo/bar@<full SHA>`. Tag mutability is a feature in npm-land; in CI it's a supply-chain risk vector.

Secret echo in workflow logs

`echo $SECRET` for debugging. GitHub redacts known values, but base64 / partial / transformed versions leak.

No branch protection

Default branch can be force-pushed and merged-to without review. Anyone with write access — or any compromised contributor account — rewrites history or pushes unreviewed code.

Il raggio d'azione

Supply-chain compromise. Code execution in your CI runner with your secrets means: stolen Stripe keys, AWS access keys, deploy tokens. Malicious commits pushed to main means a backdoored release. Compromised deploys means every customer of yours runs the attacker's code. The blast radius depends on what your CI has access to — for typical SaaS deployments, that's the entirety of production.

// cosa controlla fixvibe

Cosa controlla FixVibe

FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.

Difese a prova di bomba

Require pull-request reviews + status checks on the default branch via GitHub's branch protection settings. At minimum: require 1 reviewer, require status checks to pass, prevent force-push, prevent deletion. Pin third-party Actions to full 40-char commit SHAs (`uses: foo/bar@2c4abf...`). Renovate keeps them automatically updated to the latest SHA, so you get the security benefit without the maintenance burden. Use `pull_request` (not `pull_request_target`) for workflows that test forked PRs; if you must use `pull_request_target`, never check out the head ref — check out the base branch and treat the PR diff as data, not code. Don't echo secrets in workflow steps; use `if: env.SECRET_NAME != ''` to verify presence without printing. Enable Dependabot security updates and code scanning. Use signed commits and require them on protected branches for high-stakes repos. As a defense-in-depth layer, scope your secrets aggressively: per-environment, per-workflow, with short-lived OIDC tokens to cloud providers instead of long-lived static keys where possible.

// run it on your own app

Continua a spedire mentre FixVibe vigila per te.

FixVibe mette sotto pressione la superficie pubblica della tua app come farebbe un attaccante — senza agent, senza installazione, senza carta. Continuiamo a studiare nuovi pattern di vulnerabilità e li trasformiamo in controlli pratici e fix pronti da incollare in Cursor, Claude e Copilot.

Codice sorgente
116
test eseguiti in questa categoria
modules
76
controlli dedicati a codice sorgente
ogni scansione
487+
test su tutte le categorie
  • Gratis — senza carta di credito, senza installazione, senza ping su Slack
  • Incolla un URL — pensiamo noi a crawl, sonde e report
  • Risultati classificati in base alla gravità, deduplicati solo per segnalare
  • AI-ready prompts where code applies, plus operator steps for DNS/provider fixes
Esegui una scansione gratuita

// latest checks · practical fixes · ship with confidence

Repo Security Hygiene — Vulnerabilità in primo piano | FixVibe · FixVibe