← Scan another repo

github.com/woocommerce/woocommerce-paypal-payments

@ 8cf7d15a8c5e

Submitted 6/11/2026, 11:24:47 PM · Status: ok

Risk grade
F
100 / 100
Findings
109
3 critical16 high69 medium3 low18 info0 on CISA KEV0ATT&CK
Showing 109 of 109 findings

Findings

  • RUN using 'sudo'
    Avoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior.
    trivy.ddev/playwright-build/Dockerfile:52
  • RUN using 'sudo'
    Avoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior.
    trivy.ddev/playwright-build/Dockerfile:49
  • RUN using 'sudo'
    Avoid using 'RUN' with 'sudo' commands, as it can lead to unpredictable behavior.
    trivy.ddev/playwright-build/Dockerfile:53
  • Detected jwt: Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data
    Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • Detected private-key: Identified a Private Key, which may compromise cryptographic security and sensitive data encryption
    Identified a Private Key, which may compromise cryptographic security and sensitive data encryption.
    gitleaks
  • @actions/download-artifact has an Arbitrary File Write via artifact extraction
    grype
  • Detected calls to child_process from a function argument `item`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensu
    Detected calls to child_process from a function argument `item`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
    semgreptests/qa/bin/test-env-clean.js:23
  • Detected calls to child_process from a function argument `item`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensu
    Detected calls to child_process from a function argument `item`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
    semgreptests/qa/bin/test-env-setup.js:46
  • JWT token detected
    semgreptests/PHPUnit/StoreSync/Auth/JwtAuthServiceTest.php:115
  • Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues
    semgreptests/inc/inpsyde/wp-content/plugins/woocommerce-subscriptions/includes/core/gateways/paypal/includes/class-wcs-paypal-standard-ipn-handler.php:172
  • The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands
    The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.
    semgrep.ddev/playwright-build/Dockerfile:14
  • User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL st
    User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker stea…
    semgreptests/inc/inpsyde/wp-content/plugins/woocommerce-subscriptions/includes/core/class-wc-subscriptions-addresses.php:122
  • User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL st
    User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker stea…
    semgreptests/inc/inpsyde/wp-content/plugins/woocommerce-subscriptions/includes/core/class-wcs-my-account-payment-methods.php:232
  • Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `
    Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untr…
    semgrep.github/workflows/e2e-tests.yml:68
  • 'apt-get' missing '--no-install-recommends'
    'apt-get' install should use '--no-install-recommends' to minimize image size.
    trivy.ddev/playwright-build/Dockerfile:34
  • 'apt-get' missing '--no-install-recommends'
    'apt-get' install should use '--no-install-recommends' to minimize image size.
    trivy.ddev/playwright-build/Dockerfile:41
  • 'apt-get' missing '--no-install-recommends'
    'apt-get' install should use '--no-install-recommends' to minimize image size.
    trivy.ddev/playwright-build/Dockerfile:16
  • Image user should not be 'root'
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    trivy.ddev/playwright-build/Dockerfile:14

This report is public.