Back to plugin

Security audit

ReleaseOps

Security checks across malware telemetry and agentic risk

Overview

ReleaseOps is a read-only GitHub Actions triage plugin whose log access is disclosed and aligned with its purpose, though users should treat CI log excerpts as potentially sensitive.

Install only for repositories where the agent is allowed to read GitHub Actions metadata and logs. Use a least-privilege GitHub token with Actions/Contents/Metadata read access, avoid broad personal tokens, and set includeLogExcerpt false when logs may contain customer data or secrets.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
test/logs.test.js:74
Evidence
"Authorization: Bearer [REDACTED]",