← Scan another repo

github.com/sindresorhus/slugify

@ 7c318bd1aa4b

Submitted 7/13/2026, 9:35:08 PM · Status: ok

Risk grade
B
12 / 100
Findings
7
0 critical0 high6 medium0 low1 info0 on CISA KEV0ATT&CK
Showing 7 of 7 findings

Findings

  • Ensure top-level permissions are not set to write-all
    Ensure top-level permissions are not set to write-all on on(CI)
    checkov.github/workflows/main.yml:0
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/main.yml:16
  • GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-gi
    GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA ins…
    semgrep.github/workflows/main.yml:17
  • RegExp() called with a `options` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For t
    RegExp() called with a `options` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is…
    semgrepindex.js:43
  • RegExp() called with a `separator` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
    RegExp() called with a `separator` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex …
    semgrepindex.js:19
  • RegExp() called with a `separator` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For
    RegExp() called with a `separator` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex …
    semgrepindex.js:20

This report is public.