integrating-sast-into-github-actions-pipeline

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The workflows and scripts fetch and run external GitHub Actions and container images at runtime—e.g., returntocorp/semgrep-action (https://github.com/returntocorp/semgrep-action) and the semgrep container image (docker://semgrep/semgrep:latest)—which execute remote code and are required for the skill to run.