This pull request contains a GitHub Actions workflow issue where actions/checkout is pinned to a mutable tag (actions/checkout@v4) instead of a specific commit SHA, the job runs repository code on pull_request which can be risky for forked contributions, and the workflow lacks an explicit minimal permissions section—recommend pinning checkout to a SHA, avoid running untrusted code or restrict privileges, and set explicit least-privilege permissions.
Code Policy: GitHub Action Policy
| Policy |
GitHub Action Policy |
| Result |
Identified GitHub Actions Risks - Line 20 (.github/workflows/main.yml): Using actions/checkout@v4 pinned to a mutable tag instead of a specific commit SHA. This can allow supply-chain attacks if the tag is moved or compromised. Recommendation: Pin to a specific commit SHA for actions/checkout. - Line 27 (.github/workflows/main.yml): The workflow runs repository code via bundle exec rake on pull_request events. While no secrets are used and pull_request is safer than pull_request_target, executing code from forks is inherently risky. Recommendation: Maintain least privilege and avoid exposing secrets to this job; consider setting explicit minimal permissions. - General (workflow lacks explicit permissions): No explicit permissions: section is set. Default GITHUB_TOKEN permissions may be broader than necessary (especially on push). Recommendation: Set explicit minimal permissions (e.g., permissions: contents: read) to limit potential abuse. No usage of pull_request_target, no secrets exposure in steps, and ruby/setup-ruby is correctly pinned to a commit SHA, which are positive findings. |
|
- uses: actions/checkout@v4 |
|
- name: Set up Ruby |
|
uses: ruby/setup-ruby@ed55d55e820a01da7d3e4863a8c51a61d73c3228 |
|
with: |
All finding details can be found in the DryRun Security Dashboard.
Originally posted by @DryRunSecurity[bot] in #2 (comment)
This pull request contains a GitHub Actions workflow issue where actions/checkout is pinned to a mutable tag (actions/checkout@v4) instead of a specific commit SHA, the job runs repository code on pull_request which can be risky for forked contributions, and the workflow lacks an explicit minimal permissions section—recommend pinning checkout to a SHA, avoid running untrusted code or restrict privileges, and set explicit least-privilege permissions.
Code Policy: GitHub Action Policy
bundle exec rakeon pull_request events. While no secrets are used and pull_request is safer than pull_request_target, executing code from forks is inherently risky. Recommendation: Maintain least privilege and avoid exposing secrets to this job; consider setting explicit minimal permissions. - General (workflow lacks explicit permissions): No explicitpermissions:section is set. Default GITHUB_TOKEN permissions may be broader than necessary (especially on push). Recommendation: Set explicit minimal permissions (e.g.,permissions: contents: read) to limit potential abuse. No usage of pull_request_target, no secrets exposure in steps, and ruby/setup-ruby is correctly pinned to a commit SHA, which are positive findings.ruby_lzma_gem/.github/workflows/main.yml
Lines 20 to 23 in bdf4c3c
All finding details can be found in the DryRun Security Dashboard.
Originally posted by @DryRunSecurity[bot] in #2 (comment)