security-leak-guardrails

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The workflow invokes external GitHub Actions that are fetched and executed at CI runtime—specifically uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 and uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7—so remote code from those repositories will run as a required dependency of the secret-scan job.