I shipped a security rule this week, looked at it again the next morning, and realized it only caught half the bug it was supposed to catch. This is mcpscan, a static scanner I maintain that checks MCP configs and, since a few releases ago, GitHub Actions workflows too. The new rule was suppose...
Source: [Dev.to](https://dev.to/kielltampubolon/two-ways-to-reuse-a-privileged-ci-token-and-my-rule-only-caught-one-l1p)