Skip to content

Add CI/CD security rules (mutable action refs, pull_request_target, script injection)#206

Open
seonghobae wants to merge 1 commit into
developfrom
cicd-rules
Open

Add CI/CD security rules (mutable action refs, pull_request_target, script injection)#206
seonghobae wants to merge 1 commit into
developfrom
cicd-rules

Conversation

@seonghobae

Copy link
Copy Markdown
Contributor

Summary

GitHub Actions is a prime supply-chain / pipeline attack surface, and only two narrow CI rules existed. Adds three high-precision rules in scanner/rules/cicd.yml:

  • github-action-mutable-ref (WARNING) — uses: x@main/@master (a moving branch runs with your secrets; pin to a commit SHA).
  • github-actions-pull-request-target (HIGH) — the trigger that runs with repo secrets in a fork-PR context; poisoned-pipeline risk if it builds/runs PR code.
  • github-actions-script-injection (HIGH) — attacker-controllable github.event.* (issue/PR title/body, comment body, head.ref) inlined into a ${{ }} expression; command injection in run: steps. Pass via env: and reference $VAR.

Test plan

  • pytesttests/test_cicd_rules.py (2+ positive / 2+ negative per rule + severities)
  • e2e: all 3 fire on a malicious workflow; 0 false positives on a safe one (@<sha> pins, github.event.number, secrets.*)

🤖 Generated with Claude Code

…cript injection)

GitHub Actions is a prime supply-chain/pipeline attack surface for AI-built
repos, and only two narrow CI rules existed (secret env passthrough, GITHUB_TOKEN).

scanner/rules/cicd.yml:
- github-action-mutable-ref (WARNING) — `uses: x@main`/`@master` (pin to a SHA)
- github-actions-pull-request-target (HIGH) — the fork-PR-with-secrets trigger
- github-actions-script-injection (HIGH) — attacker-controllable `github.event.*`
  (issue/PR title/body, comment, head.ref) inlined into a workflow expression

- Tests: tests/test_cicd_rules.py (2+ positive / 2+ negative per rule + severities).
- Verified: e2e all 3 fire on a malicious workflow, 0 false positives on a safe
  one (@sha pins, github.event.number, secrets.*).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EywwS2Du8pimW7xqRP3An3
@seonghobae seonghobae enabled auto-merge (squash) July 5, 2026 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant