Dangerous Workflow
ID |
dangerous_workflow |
Severity |
critical |
Family |
CI/ CD tools |
Tags |
cicd-sec-04, cicd-security, cicd_code_injection, infrastructure, reachable, security, supply-chain |
Description
Does the project avoid dangerous coding patterns in CI workflows?
This check determines whether the project’s GitHub Action workflows has dangerous code patterns. Some examples of these patterns are untrusted code checkouts, logging github context and secrets, or use of potentially untrusted inputs in scripts.
Reference: OpenSSF Scorecard - Dangerous Workflow.
Security
Using dangerous coding in CI workflows makes the repository vulnerable to compromise.
Attackers might access repository secrets or run build scripts controlled by the author of a PR.
The following patterns are checked:
- Untrusted Code Checkout
-
This is the misuse of potentially dangerous triggers. A well-know example for Github are the
pull_request_targetorworkflow_runworkflow triggers used in conjunction with an explicit pull request checkout. Workflows triggered withpull_request_target/workflow_runhave write permission to the target repository and access to target repository secrets. With the PR checkout, PR authors may compromise the repository, for example, by using build scripts controlled by the author of the PR, or by reading token in memory. This check does not detect whether untrusted code checkouts are used safely, for example, only on pull request that have been assigned a label. - Script Injection with Untrusted Context Variables
-
This pattern detects whether a workflow’s inline script may execute untrusted input from attackers. This occurs when an attacker adds malicious commands and scripts to a context. When a workflow runs, these strings may be interpreted as code that is executed on the runner. Attackers can add their own content to certain SCM context variables that are considered untrusted, for example,
github.event.issue.titlefor GitHub. These values should not flow directly into executable code.