Skip to content

Security

Security #30

Triggered via schedule May 18, 2026 07:16
Status Failure
Total duration 9m 0s
Artifacts 4

security.yml

on: schedule
Secret Scanning (gitleaks)
17s
Secret Scanning (gitleaks)
Markdown Lint (diga/)
8s
Markdown Lint (diga/)
Link Check (lychee)
2m 21s
Link Check (lychee)
Dependency Review
0s
Dependency Review
OSV Scanner (manifest-CVE)
17s
OSV Scanner (manifest-CVE)
OSV Scanner (private app repo)
5s
OSV Scanner (private app repo)
TLS Posture (testssl.sh)
8m 55s
TLS Posture (testssl.sh)
HTTP Security Headers (Observatory)
4s
HTTP Security Headers (Observatory)
Fit to window
Zoom out
Zoom in

Annotations

5 errors, 8 warnings, and 1 notice
Markdown Lint (diga/)
Failed with exit code: 1
Multiple consecutive blank lines: diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md#L286
diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md:286 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.36.1/doc/md012.md
Bare URL used: diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md#L87
diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md:87:183 MD034/no-bare-urls Bare URL used [Context: "security@twobreath.com"] https://github.com/DavidAnson/markdownlint/blob/v0.36.1/doc/md034.md
Multiple consecutive blank lines: diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md#L27
diga/COMPLIANCE_MATRIX_TR1_OFFICIAL.md:27 MD012/no-multiple-blanks Multiple consecutive blank lines [Expected: 1; Actual: 2] https://github.com/DavidAnson/markdownlint/blob/v0.36.1/doc/md012.md
Headings should be surrounded by blank lines: diga/BSI_ASSESSMENT.md#L104
diga/BSI_ASSESSMENT.md:104 MD022/blanks-around-headings Headings should be surrounded by blank lines [Expected: 1; Actual: 0; Below] [Context: "### Volltext-Anhang"] https://github.com/DavidAnson/markdownlint/blob/v0.36.1/doc/md022.md
HTTP Security Headers (Observatory)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/upload-artifact@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
OSV Scanner (private app repo)
APP_REPO_TOKEN secret not set — cross-repo scan skipped. Add a fine-grained PAT with Contents:Read on ma3u/TwoBreath-app to enable.
Markdown Lint (diga/)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4, DavidAnson/markdownlint-cli2-action@v18. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
OSV Scanner (manifest-CVE)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4, actions/upload-artifact@v4, github/codeql-action/upload-sarif@v3. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
OSV Scanner (manifest-CVE)
CodeQL Action v3 will be deprecated in December 2026. Please update all occurrences of the CodeQL Action in your workflow files to v4. For more information, see https://github.blog/changelog/2025-10-28-upcoming-deprecation-of-codeql-action-v3/
Secret Scanning (gitleaks)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4, gitleaks/gitleaks-action@v2. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
Link Check (lychee)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
TLS Posture (testssl.sh)
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/upload-artifact@v4. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Node.js 20 will be removed from the runner on September 16th, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

Artifacts

Produced during runtime
Name Size Digest
gitleaks-results.sarif
6.61 KB
sha256:3e28cc37fd98c3569069bf86ebdb74bfdbdee83439d99828940f508217e3fc26
observatory-report
359 Bytes
sha256:89675cf06dad7bc5b14003bb923802d64000e272b2d2f452d3f2b274d817c747
osv-scanner-report
582 Bytes
sha256:4f180cd0e586daccba5db69bb0b0df96eac7bed7ab0b344939bd922082468561
testssl-report
1.32 KB
sha256:01f91cdf179f47a1264877caca578f1da32a7675012ef5c7b35831669afcb7b6