Skill Being Reviewed
Skill name: access-review
Skill path: skills/identity/access-review/
False Positive Analysis
Benign-looking access review evidence that can be over-scored today:
service_account: svc-ci-deploy
owner: Platform Team
certification: approved
entitlements:
- deploy:production
credentials:
- token: ci-prod-deploy-token
created: 2024-01-15
expires: never
last_rotated: unknown
storage: CI variable copied from old ticketThe current skill correctly includes service accounts in review scope and flags service accounts with no owner. However, it can still mark a non-human identity as reviewed when the account has an owner but its attached API keys, PATs, OAuth grants, deploy keys, webhook secrets, or CI/CD tokens are stale, over-scoped, unrotated, human-owned, or stored outside an approved secrets manager.
Coverage Gaps
- API keys, personal access tokens, OAuth grants, deploy keys, webhook secrets, bot accounts, and CI/CD tokens are not explicitly inventoried as review objects.
- A service account can have an owner while individual credentials have no expiry, no last-rotated evidence, no emergency revocation path, or no storage evidence.
- Broad OAuth/PAT/API scopes can remain active without resource, tenant, IP, environment, or business-process constraints.
- Human-owned PATs or deploy keys can power production automation even after the human owner changes role or leaves.
- Third-party integrations can retain access after project shutdown, vendor offboarding, or owner departure.
Recommended Improvement
Add a non-human credential and API access review gate requiring credential type, named owner and backup owner, system/integration, exact scope, creation and last-used dates, rotation/expiry evidence, approved secret storage, and approval evidence. Add findings for missing owner, missing review population coverage, broad scopes, missing rotation/expiry, unused active credentials, stale OAuth integrations, weak storage, and human-owned automation credentials.
Duplicate Check
I checked open issues and PRs for access-review with service account token API key orphan stale owner attestation, API key, OAuth, PAT, and non-human. I did not find an open issue or PR covering this access-review credential evidence gap.
Bounty Info
Skill Being Reviewed
Skill name:
access-reviewSkill path:
skills/identity/access-review/False Positive Analysis
Benign-looking access review evidence that can be over-scored today:
The current skill correctly includes service accounts in review scope and flags service accounts with no owner. However, it can still mark a non-human identity as reviewed when the account has an owner but its attached API keys, PATs, OAuth grants, deploy keys, webhook secrets, or CI/CD tokens are stale, over-scoped, unrotated, human-owned, or stored outside an approved secrets manager.
Coverage Gaps
Recommended Improvement
Add a non-human credential and API access review gate requiring credential type, named owner and backup owner, system/integration, exact scope, creation and last-used dates, rotation/expiry evidence, approved secret storage, and approval evidence. Add findings for missing owner, missing review population coverage, broad scopes, missing rotation/expiry, unused active credentials, stale OAuth integrations, weak storage, and human-owned automation credentials.
Duplicate Check
I checked open issues and PRs for
access-reviewwithservice account token API key orphan stale owner attestation,API key,OAuth,PAT, andnon-human. I did not find an open issue or PR covering this access-review credential evidence gap.Bounty Info