Skip to content

[REVIEW] container-security: add workload identity token audience and finalizer ownerReference traversal gates#2699

Closed
JamesJi79 wants to merge 1 commit into
UnitOneAI:mainfrom
JamesJi79:review-gates-container
Closed

[REVIEW] container-security: add workload identity token audience and finalizer ownerReference traversal gates#2699
JamesJi79 wants to merge 1 commit into
UnitOneAI:mainfrom
JamesJi79:review-gates-container

Conversation

@JamesJi79

Copy link
Copy Markdown

Adds two review gates for container-security skill:

  1. Workload Identity Token Audience Scope Gate (closes [REVIEW] container-security: add workload identity token audience scoping gates #2671)

    • Token audience scope validation check
    • Token mount scope check
  2. Kubernetes Finalizer and OwnerReference Traversal Gate (closes [REVIEW] container-security: add Kubernetes finalizer ownerReference takeover gates #2670)

    • OwnerReference validation check
    • Finalizer abuse prevention check

Both gates add evidence requirements for common Kubernetes/container false-positive patterns.

@JamesJi79 JamesJi79 requested a review from kamalsrini as a code owner June 16, 2026 09:26
@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 16, 2026
@github-actions

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

1 participant