You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The suggestions seem good and actionable, however, we need the ability to mark some findings are exempt before being able to integrate within PRs and fail the check.
Experimenting with the new [zizmor
tool](https://github.com/woodruffw/zizmor). There's still a number of
false-positives so probably not yet worth integrating into our CI run,
but have audited the current feedback.
Related to:
- #1114
## Only persist git credentials where we need to use them
- Don't leave these around when we don't need to.
- Explicitly set to true where we need them, with a comment highlighting
why we're keeping them.
- Fix a few places we weren't using the centrally managed checkout
version.
- Tweak the conditionals for submodules so the `with:` is always there
now.
## Use of fundamentally insecure workflow trigger -
`pull_request_target`
These appear ok because we're just using this to comment on community
PRs. These don't run builds
```
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/community-moderation.yml:38:1
|
38 | / on:
39 | | pull_request_target:
... |
42 | | types:
43 | | - opened
| |_____________^ pull_request_target is almost always used insecurely
|
```
```
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
--> .github/workflows/pull-request.yml:44:1
|
44 | / on:
45 | | pull_request_target: {}
| |__________________________^ pull_request_target is almost always used insecurely
|
```
## Code injection via template expansion
```
.github/workflows/master.yml
env.COVERAGE_OUTPUT_DIR may expand into attacker-controllable code
```
This is not inputtable by a third party user.
```
.github/workflows/prerequisites.yml
inputs.default_branch may expand into attacker-controllable code
```
This is a workflow call (reusable workflow) and the input is always set
as `github.event.repository.default_branch`.
```
.github/workflows/upgrade-provider.yml
github.event.inputs.version may expand into attacker-controllable code
steps.upstream_version.outputs.latest_version may expand into attacker-controllable code
github.repository may expand into attacker-controllable code
steps.target_version.outputs.version may expand into attacker-controllable code
```
This can only be triggered by internal users.
Investigate zizmor
Possible new tool: https://github.com/woodruffw/zizmor
Initial investigation PR:
The suggestions seem good and actionable, however, we need the ability to mark some findings are exempt before being able to integrate within PRs and fail the check.
Key upstream issues to wait for:
zizmor
GitHub Action woodruffw/zizmor#69The text was updated successfully, but these errors were encountered: