Security/threat-model file scan under repository root: /data/pruva/project-cache/7182044f-d4bd-4461-bb94-67cc221ed6fc/repo/.github/workflows/security_scan.yaml Security/vulnerability text mentions: /data/pruva/project-cache/7182044f-d4bd-4461-bb94-67cc221ed6fc/repo/pkg/platform/kube/functionres/lazy_test.go:1093: "args must not contain /bin/sh — that's the vulnerability") /data/pruva/project-cache/7182044f-d4bd-4461-bb94-67cc221ed6fc/repo/pkg/processor/runtime/shell/runtime_test.go:254: // Simulates the attack described in the vulnerability report: reading a /data/pruva/project-cache/7182044f-d4bd-4461-bb94-67cc221ed6fc/repo/pkg/processor/runtime/shell/runtime_test.go:255: // Kubernetes ServiceAccount token from the filesystem via command injection.