| Confirmed compromise | Repository history contains the reported malicious workflow, commit hash, C2 endpoint, or payload content and the workflow executed. | Commit object, workflow file, Actions run metadata, runner logs, and network telemetry. | Remove the workflow, isolate affected runners, and rotate every credential class available to the run. | Malicious commits are reverted or removed, workflows are disabled, and downstream audits are clean. |
| Presumed exposed | A matching workflow exists and may have run with secrets, even if exfiltration telemetry is missing. | Workflow path, commit timestamp, runner assignment, permissions, and secret availability. | Rotate GitHub, cloud, package, container, SSH, Kubernetes, Vault, and Terraform credentials reachable from the job. | Credential owners confirm revocation of old material and no suspicious downstream writes are found. |
| Potentially exposed | Repository search finds suspicious workflow names, bot authors, archive creation, or the C2 IP but execution state is incomplete. | Code search hits, git log output, workflow run list, and runner telemetry availability. | Freeze suspicious workflow paths and collect missing run evidence before narrowing rotation. | Each hit is dispositioned as confirmed, presumed, or not exposed. |
| Not exposed | No matching workflow names, C2 endpoint, malicious hashes, or suspicious workflow additions exist in repository history. | Repository code search, git history search, and Actions run export. | Record the clean search and keep workflow ownership controls active. | Search artifacts are preserved with the date, repository list, and query terms. |
| Unknown | Repository history, Actions logs, or the public dataset comparison is unavailable. | Named evidence gaps and the repository population not yet searched. | Keep the repository in the investigation queue and apply conservative credential rotation for high-value projects. | Dataset comparison and workflow history are complete or the risk owner accepts the gap. |