Ensure that action scanning is actually work.

.github/workflows/action_scanning.yml

@@ -1,14 +1,13 @@
+### Required actions to scan GitHub action workflows for security issues.
 name: Scan GitHub Action workflows files for security issues
 
 on:
-  pull_request: 
-     paths:
-      - '.github/workflows/**.ya?ml'
+  pull_request: {}
   workflow_dispatch: {}
   push:
-     paths:
+    paths:
       - '.github/workflows/**.ya?ml'
-   schedule:
+  schedule:
     - cron: '39 3 * * 3'
 
 permissions:
@@ -24,7 +23,7 @@ jobs:
     - name: Checkout Code
       uses: actions/checkout@v4
 
-    - name Initialize CodeQL
+    - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
         languages: actions
@@ -55,7 +54,7 @@ jobs:
         env:
           GH_REPO_OWNER: ${{ github.repository_owner }}
         with:
-          repository: '${{ env.GH_REPO_OWNER }}/.github'
+          repository: '${{ env.GH_REPO_OWNER }}/github-team'
           path: action_scanning
 
       - name: Run Actions semgrep scan

semgrep-rules/actions/pull_request_target_needs_exception.yml

@@ -0,0 +1,15 @@
+rules:
+  - id: pull-request-target-needs-exception
+    languages:
+      - yaml
+    severity: ERROR
+    message: pull_request_target is considered very risky and should only be used when striclty needed.  Please prefer other triggers when possible.
+    metadata:
+      category: best-practice
+      technology:
+        - github-actions      
+    patterns:
+      - pattern-either:
+          - patterns:
+              - pattern-inside: "{on: ...}"
+              - pattern: pull_request_target