| Field | Value |
|---|---|
| Category | CICD-SEC-4 |
| Severity | MEDIUM |
| Confidence | MEDIUM |
| OWASP | CICD-SEC-4: Poisoned Pipeline Execution |
| Auto-fix | ✗ |
What the check does
Flags dependency caching —actions/cache, or a setup-* action’s cache:
option — in a workflow that also publishes a release-shaped artifact
(release upload, container push, npm/cargo/gem publish, GoReleaser, …).
This is broader than SLSA-BUILD-L3 cache poisoning,
which only covers a pull_request_target cache key built from PR-controlled
input.