# Scan Notes: Chainlink `external-adapters-js`

Date: 2026-02-15  
Repo: https://github.com/smartcontractkit/external-adapters-js  
Program: HackerOne Chainlink (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 6 findings total
- 4 GitHub Actions interpolation warnings in composite actions:
  - `.github/actions/create-ecrs/action.yml`
  - `.github/actions/setup/action.yml`
- 2 Dockerfile hardening warnings (missing `USER`):
  - `Dockerfile`
  - `grafana/Dockerfile`

Workflow context check:
- These composite actions are used from workflows triggered on `pull_request` and `push` to `main` (not `pull_request_target`).

Trufflehog (filesystem, filtered, archives skipped, no verification):
- 6 detections, all look like false positives/examples:
  - `grafana/Dockerfile` contains `ENV GRAFANA_URL=http://admin:admin@...` (dev default)
  - generated README cache key example
  - `yarn.lock` checksum strings flagged by detectors

## Next Places To Look (Manual)

- Adapter request parsing and any URL fetchers (SSRF to data providers)
- Command execution or templating in adapter runners/build tooling
- Deserialization and unsafe parsing (JSON/YAML/protobuf) at boundaries