hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 08:43:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20204 from p-/p--actions-untrusted-checkout-doc

Browse Source 
Actions: clarify doc for untrusted checkout
This commit is contained in:
Napalys Klicius
2025-08-11 14:42:12 +02:00
committed by GitHub
parent 9905cd6436 98d312fda1
commit 6e38087d20
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
View File

@@ -1,6 +1,6 @@
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
## Recommendation
@@ -32,7 +32,7 @@ jobs:
- uses: actions/setup-node@v1
- run: |
npm install
npm install # scripts in package.json from PR would be executed here
npm build
- uses: completely/fakeaction@v2

4
actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
View File

@@ -1,6 +1,6 @@
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
## Recommendation
@@ -32,7 +32,7 @@ jobs:
- uses: actions/setup-node@v1
- run: |
npm install
npm install # scripts in package.json from PR would be executed here
npm build
- uses: completely/fakeaction@v2

4
actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
View File

@@ -1,6 +1,6 @@
## Overview
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed in a privileged job.
GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
## Recommendation
@@ -32,7 +32,7 @@ jobs:
- uses: actions/setup-node@v1
- run: |
npm install
npm install # scripts in package.json from PR would be executed here
npm build
- uses: completely/fakeaction@v2