From 8ca6b9f3932ce3d4f305ff10adafdaaa707a8368 Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Mon, 24 Feb 2025 20:29:29 +0000 Subject: [PATCH 1/5] Add some comments to the workflow --- .github/workflows/action_scanning.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml index 40356ba..2a0263f 100644 --- a/.github/workflows/action_scanning.yml +++ b/.github/workflows/action_scanning.yml @@ -1,3 +1,4 @@ +### Required actions to scan GitHub action workflows for security issues. name: Scan GitHub Action workflows files for security issues on: From 775836d0f8208499dd0b23b48c1820f9a2ed9cfa Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Mon, 24 Feb 2025 20:33:07 +0000 Subject: [PATCH 2/5] Try to fix syntax error --- .github/workflows/action_scanning.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml index 2a0263f..d303893 100644 --- a/.github/workflows/action_scanning.yml +++ b/.github/workflows/action_scanning.yml @@ -2,9 +2,7 @@ name: Scan GitHub Action workflows files for security issues on: - pull_request: - paths: - - '.github/workflows/**.ya?ml' + pull_request: {} workflow_dispatch: {} push: paths: From 88f6d4df86e81adebf58aabda62ef794d4a5a104 Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Mon, 24 Feb 2025 20:36:29 +0000 Subject: [PATCH 3/5] syntax errors fixed --- .github/workflows/action_scanning.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml index d303893..2c41432 100644 --- a/.github/workflows/action_scanning.yml +++ b/.github/workflows/action_scanning.yml @@ -5,9 +5,9 @@ on: pull_request: {} workflow_dispatch: {} push: - paths: + paths: - '.github/workflows/**.ya?ml' - schedule: + schedule: - cron: '39 3 * * 3' permissions: @@ -23,7 +23,7 @@ jobs: - name: Checkout Code uses: actions/checkout@v4 - - name Initialize CodeQL + - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: actions From 071e4e0fe7136e652c69f59eaa409c0968d8147b Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Mon, 24 Feb 2025 20:40:29 +0000 Subject: [PATCH 4/5] Add in custom semgrep check --- .../pull_request_target_needs_exception.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 semgrep-rules/actions/pull_request_target_needs_exception.yml diff --git a/semgrep-rules/actions/pull_request_target_needs_exception.yml b/semgrep-rules/actions/pull_request_target_needs_exception.yml new file mode 100644 index 0000000..97237d9 --- /dev/null +++ b/semgrep-rules/actions/pull_request_target_needs_exception.yml @@ -0,0 +1,15 @@ +rules: + - id: pull-request-target-needs-exception + languages: + - yaml + severity: ERROR + message: pull_request_target is considered very risky and should only be used when striclty needed. Please prefer other triggers when possible. + metadata: + category: best-practice + technology: + - github-actions + patterns: + - pattern-either: + - patterns: + - pattern-inside: "{on: ...}" + - pattern: pull_request_target \ No newline at end of file From 445c646b346e6fa93c432e80651de47ba03143f5 Mon Sep 17 00:00:00 2001 From: Bill Napier Date: Mon, 24 Feb 2025 20:42:19 +0000 Subject: [PATCH 5/5] pull right repo for custom scans. --- .github/workflows/action_scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/action_scanning.yml b/.github/workflows/action_scanning.yml index 2c41432..9e84a55 100644 --- a/.github/workflows/action_scanning.yml +++ b/.github/workflows/action_scanning.yml @@ -54,7 +54,7 @@ jobs: env: GH_REPO_OWNER: ${{ github.repository_owner }} with: - repository: '${{ env.GH_REPO_OWNER }}/.github' + repository: '${{ env.GH_REPO_OWNER }}/github-team' path: action_scanning - name: Run Actions semgrep scan