Analysis roadmap

[woodruffw]

• Auditing of action definitions (i.e. action.yml) Feature: support auditing (composite) actions #173
• Accidental credential persistence
  • "ArtiPACKED"
• Insecure/fundamentally dangerous workflow triggers
  • pull_request_target
  • workflow_run: pull_request_target -> dangerous_triggers #33
• Insecure/excessive permissions
• Self-hosted runners/runner escapes
• Cache poisoning New audit: cache poisoning #261
• Impostor commits
• Ref confusion (e.g. branch/tag confusion)
• Bad practices for third-party actions
  • Using pypa/gh-action-pypi-publish without trusted publishing
  • Using rubygems/release-gem without trusted publishing
• Hardcoded container/service credentials
• Suggest upgrades for common 3p workflows, e.g. gh-action-pypi-publish@master should be @release/v1.
  • See direct use of branches #59
• Out-of-date Dependabot version comments
• Unpinned actions (this should probably be pedantic only)
  • New audit: un-pinned action audit #141
• Bad YAML string/int conversions (these will be annoying to detect, since we'd need to go back up to the original span to see if the deserialized form diverges)
  • Toolchain version 1.70 is parsed as 1.7 dtolnay/rust-toolchain#112
• Known insecure/exploitable actions #36
  • https://osv.dev/list?q=&ecosystem=GitHub+Actions
• GITHUB_ENV usage: New audit: GITHUB_ENV #156
• Insecure workflow commands: New audit: ACTIONS_ALLOW_UNSECURE_COMMANDS #171
• Secrets outside of environments: Audit idea: Secrets outside of environments #184
• Old/stale action usage: New audit: old actions #260

[woodruffw]

Self-hosted runners are fundamentally insecure when not run ephemerally, but there's no great way to detect this statically. So we'll likely need to make that check a pedantic-only one.

[woodruffw]

Code injection should also detect things like https://securitylab.github.com/advisories/GHSL-2024-169_Arduino-ESP32/, i.e. detect expression expansion inside of actions like actions/github-script.