Dangerous Workflow

ID

openssf_scorecard/dangerous_workflow

Severity

critical

Category

Levels

Optional

false

Tags

cicd-sec-04, cicd-security, cicd_code_injection, infrastructure, security, supply-chain

Description

Does the project avoid dangerous coding patterns in CI workflows?

This check determines whether the project’s GitHub Action workflows has dangerous code patterns. Some examples of these patterns are untrusted code checkouts, logging github context and secrets, or use of potentially untrusted inputs in scripts.

Reference: OpenSSF Scorecard - Dangerous Workflow.

Rationale

Using dangerous coding in CI workflows make the repository vulnerable to compromise. Attackers might access repository secrets or run build scripts controlled by the author of a PR.

Verification

The following patterns are checked:

Untrusted Code Checkout

This is the misuse of potentially dangerous triggers. A well-know example for Github are the pull_request_target or workflow_run workflow triggers used in conjunction with an explicit pull request checkout. Workflows triggered with pull_request_target / workflow_run have write permission to the target repository and access to target repository secrets. With the PR checkout, PR authors may compromise the repository, for example, by using build scripts controlled by the author of the PR, or by reading token in memory. This check does not detect whether untrusted code checkouts are used safely, for example, only on pull request that have been assigned a label.

Script Injection with Untrusted Context Variables

This pattern detects whether a workflow’s inline script may execute untrusted input from attackers. This occurs when an attacker adds malicious commands and scripts to a context. When a workflow runs, these strings may be interpreted as code that is executed on the runner. Attackers can add their own content to certain SCM context variables that are considered untrusted, for example, github.event.issue.title for GitHub. These values should not flow directly into executable code.

Remediation

Avoid the dangerous workflow patterns. See this post for information on avoiding untrusted code checkouts. See this document for information on avoiding and mitigating the risk of script injections.

Small Print

Current implementation is limited to repositories hosted on GitHub, with other systems under development.