add codeql actions query with data extension sample

2025-12-16 09:53:04 +01:00 · 2025-06-25 14:04:25 -07:00
parent 8ccd26872a
commit 3ce1d8d252
10 changed files with 133 additions and 25 deletions
--- a/codeql-custom-queries-actions/example.ql
+++ b/codeql-custom-queries-actions/example.ql
@@ -0,0 +1,61 @@
+// /**
+//  * @name Empty block
+//  * @kind problem
+//  * @problem.severity warning
+//  * @id go/example/empty-block
+//  */
+
+// import actions
+ 
+// select 1
+
+
+/**
+ * @name Unpinned tag for a non-immutable Action in workflow
+ * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
+ * @kind problem
+ * @security-severity 5.0
+ * @problem.severity warning
+ * @precision medium
+ * @id actions/unpinned-tag
+ * @tags security
+ *       actions
+ *       external/cwe/cwe-829
+ */
+
+import actions
+import codeql.actions.security.UseOfUnversionedImmutableAction
+
+bindingset[version]
+private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
+
+bindingset[nwo]
+private predicate isTrustedOwner(string nwo) {
+  // Gets the segment before the first '/' in the name with owner(nwo) string
+  trustedActionsOwnerDataModel(nwo.substring(0, nwo.indexOf("/")))
+}
+
+bindingset[version]
+private predicate isPinnedContainer(string version) {
+  version.regexpMatch("^sha256:[A-Fa-f0-9]{64}$")
+}
+
+bindingset[nwo]
+private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
+
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
+where
+  uses.getCallee() = nwo and
+  uses.getEnclosingWorkflow() = workflow and
+  (
+    workflow.getName() = name
+    or
+    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
+  ) and
+  uses.getVersion() = version and
+  not isTrustedOwner(nwo) and
+  not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and
+  not isImmutableAction(uses, nwo)
+select uses.getCalleeNode(),
+  "Unpinned 3rd party Action '" + name + "' step $@ uses '" + nwo + "' with ref '" + version +
+    "', not a pinned commit hash", uses, uses.toString()
--- a/codeql-custom-queries-actions/exclusions.yml
+++ b/codeql-custom-queries-actions/exclusions.yml
@@ -0,0 +1,9 @@
+extensions:
+  - addsTo: 
+      pack: codeql/actions-all
+      extensible: trustedActionsOwnerDataModel
+    data:      
+      - ["actions"]
+      - ["github"]
+      - ["advanced-security"]
+      - ["company-x"]
--- a/codeql-custom-queries-actions/qlpack.yml
+++ b/codeql-custom-queries-actions/qlpack.yml
@@ -0,0 +1,11 @@
+# Change 'getting-started' to the name of a user or organization that you have write access to.
+name: getting-started/codeql-extra-queries-actions
+version: 0.0.0
+extractor: actions
+dependencies:
+  # This uses the latest version of the codeql/go-all library.
+  # You may want to change to a more precise semver string.
+  codeql/actions-all: "*"
+
+dataExtensions:
+  - exclusions.yml
--- a/codeql-custom-queries-actions/tests/.github/workflows/test1.yml
+++ b/codeql-custom-queries-actions/tests/.github/workflows/test1.yml
@@ -0,0 +1,11 @@
+# tests/tests.testproj/.github/workflows/ci.yml
+name: CI
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@latest   # Unpinned — should be flagged
--- a/codeql-custom-queries-actions/tests/UnpinnedActionsTag.expected
+++ b/codeql-custom-queries-actions/tests/UnpinnedActionsTag.expected
@@ -0,0 +1 @@
+none
--- a/codeql-custom-queries-actions/tests/UnpinnedActionsTag.qlref
+++ b/codeql-custom-queries-actions/tests/UnpinnedActionsTag.qlref
@@ -0,0 +1 @@
+UnpinnedActionsTag.ql
--- a/codeql-custom-queries-actions/tests/test.yml
+++ b/codeql-custom-queries-actions/tests/test.yml
@@ -0,0 +1,11 @@
+# tests/tests.testproj/.github/workflows/ci.yml
+name: CI
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-node@latest   # Unpinned — should be flagged
--- a/codeql-custom-queries-actions/tests/test2.yml
+++ b/codeql-custom-queries-actions/tests/test2.yml
@@ -0,0 +1,12 @@
+name: Untrusted workflow
+
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Untrusted step
+        uses: dodgycorp/bad-action@latest  # This should trigger the query
--- a/codeql-custom-queries-actions/tests/test3.yml
+++ b/codeql-custom-queries-actions/tests/test3.yml
@@ -0,0 +1,12 @@
+name: Untrusted workflow
+
+on: push
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Untrusted step
+        uses: company-X/bad-action@latest  # This should trigger the query