Merge pull request #19 from GitHubSecurityLab/steps

2026-03-20 22:46:47 +01:00 · 2024-02-21 18:38:44 +01:00
parent d6f6e1fc0b 9e2be7d674
commit 7a1369d9d0
39 changed files with 248 additions and 1 deletions
--- a/ql/lib/ext/akhileshns_heroku-deploy.model.yml
+++ b/ql/lib/ext/akhileshns_heroku-deploy.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["akhileshns/heroku-deploy", "*", "input.branch", "output.status", "taint"]
--- a/ql/lib/ext/android-actions_setup-android.model.yml
+++ b/ql/lib/ext/android-actions_setup-android.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["android-actions/setup-android", "*", "input.cmdline-tools-version", "output.ANDROID_COMMANDLINE_TOOLS_VERSION", "taint"]
--- a/ql/lib/ext/apple-actions_import-codesign-certs.model.yml
+++ b/ql/lib/ext/apple-actions_import-codesign-certs.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["apple-actions/import-codesign-certs", "*", "input.keychain-password", "output.keychain-password", "taint"]
--- a/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml
+++ b/ql/lib/ext/ashley-taylor_read-json-property-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["ashley-taylor/read-json-property-action", "*", "input.json", "output.value", "taint"]
--- a/ql/lib/ext/ashley-taylor_regex-property-action.model.yml
+++ b/ql/lib/ext/ashley-taylor_regex-property-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["ashley-taylor/regex-property-action", "*", "input.replacement", "output.value", "taint"]
+      - ["ashley-taylor/regex-property-action", "*", "input.value", "output.value", "taint"]
--- a/ql/lib/ext/aszc_change-string-case-action.model.yml
+++ b/ql/lib/ext/aszc_change-string-case-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["aszc/change-string-case-action", "*", "input.string", "output.capitalized", "taint"]
+      - ["aszc/change-string-case-action", "*", "input.replace-with", "output.uppercase", "taint"]
+      - ["aszc/change-string-case-action", "*", "input.replace-with", "output.lowercase", "taint"]
--- a/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml
+++ b/ql/lib/ext/aws-actions_configure-aws-credentials.model.yml
@@ -0,0 +1,11 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "env.AWS_ACCESS_KEY_ID", "taint"]
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-access-key-id", "secret.AWS_ACCESS_KEY_ID", "taint"]
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "env.AWS_SECRET_ACCESS_KEY", "taint"]
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-secret-access-key", "secret.AWS_SECRET_ACCESS_KEY", "taint"]
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "env.AWS_SESSION_TOKEN", "taint"]
+      - ["aws-actions/configure-aws-credentials", "*", "input.aws-session-token", "secret.AWS_SESSION_TOKEN", "taint"]
--- a/ql/lib/ext/bobheadxi_deployments.model.yml
+++ b/ql/lib/ext/bobheadxi_deployments.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["bobheadxi/deployments", "*", "input.env", "output.env", "taint"]
--- a/ql/lib/ext/bufbuild_buf-breaking-action.model.yml
+++ b/ql/lib/ext/bufbuild_buf-breaking-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["bufbuild/buf-breaking-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"]
--- a/ql/lib/ext/bufbuild_buf-lint-action.model.yml
+++ b/ql/lib/ext/bufbuild_buf-lint-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["bufbuild/buf-lint-action", "*", "input.buf_token", "env.BUF_TOKEN", "taint"]
--- a/ql/lib/ext/cachix_cachix-action.model.yml
+++ b/ql/lib/ext/cachix_cachix-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["cachix/cachix-action", "*", "input.signingKey", "env.CACHIX_SIGNING_KEY", "taint"]
--- a/ql/lib/ext/coursier_cache-action.model.yml
+++ b/ql/lib/ext/coursier_cache-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["coursier/cache-action", "*", "input.path", "env.COURSIER_CACHE", "taint"]
--- a/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml
+++ b/ql/lib/ext/crazy-max_ghaction-import-gpg.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["crazy-max/ghaction-import-gpg", "*", "input.fingerprint", "output.fingerprint", "taint"]
--- a/ql/lib/ext/csexton_release-asset-action.model.yml
+++ b/ql/lib/ext/csexton_release-asset-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["csexton/release-asset-action", "*", "input.release-url", "output.url", "taint"]
--- a/ql/lib/ext/delaguardo_setup-clojure.model.yml
+++ b/ql/lib/ext/delaguardo_setup-clojure.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["delaguardo/setup-clojure", "*", "input.boot", "env.BOOT_VERSION", "taint"]
--- a/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml
+++ b/ql/lib/ext/franzdiebold_github-env-vars-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: sourceModel
+    data:
+      - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_DESCRIPTION", "pull_request_target", "PR body"]
+      - ["franzdiebold/github-env-vars-action", "*", "output.CI_PR_TITLE", "pull_request_target", "PR title"]
--- a/ql/lib/ext/game-ci_unity-test-runner.model.yml
+++ b/ql/lib/ext/game-ci_unity-test-runner.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["game-ci/unity-test-runner", "*", "input.artifactsPath", "output.artifactsPath", "taint"]
--- a/ql/lib/ext/getsentry_action-release.model.yml
+++ b/ql/lib/ext/getsentry_action-release.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["getsentry/action-release", "*", "input.version", "output.version", "taint"]
+      - ["getsentry/action-release", "*", "input.version_prefix", "output.version", "taint"]
--- a/ql/lib/ext/github_codeql-action.model.yml
+++ b/ql/lib/ext/github_codeql-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["github/codeql-action", "*", "input.output", "output.sarif-output", "taint"]
--- a/ql/lib/ext/gradle_gradle-build-action.model.yml
+++ b/ql/lib/ext/gradle_gradle-build-action.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["gradle/gradle-build-action", "*", "input.cache-encryption-key", "env.GRADLE_ENCRYPTION_KEY", "taint"]
+      - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-agree", "env.BUILD_SCAN_TERMS_OF_SERVICE_AGREE", "taint"]
+      - ["gradle/gradle-build-action", "*", "input.build-scan-terms-of-service-url", "env.BUILD_SCAN_TERMS_OF_SERVICE_URL", "taint"]
--- a/ql/lib/ext/haya14busa_action-cond.model.yml
+++ b/ql/lib/ext/haya14busa_action-cond.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["haya14busa/action-cond", "*", "input.if_true", "output.value", "taint"]
+      - ["haya14busa/action-cond", "*", "input.if_false", "output.value", "taint"]
--- a/ql/lib/ext/hexlet_project-action.model.yml
+++ b/ql/lib/ext/hexlet_project-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["hexlet/project-action", "*", "input.mount-path", "env.PWD", "taint"]
--- a/ql/lib/ext/jsdaniell_create-json.model.yml
+++ b/ql/lib/ext/jsdaniell_create-json.model.yml
@@ -0,0 +1,8 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["jsdaniell/create-json", "*", "input.name", "output.successfully", "taint"]
+      - ["jsdaniell/create-json", "*", "input.json", "output.successfully", "taint"]
+      - ["jsdaniell/create-json", "*", "input.dir", "output.successfully", "taint"]
--- a/ql/lib/ext/jwalton_gh-ecr-push.model.yml
+++ b/ql/lib/ext/jwalton_gh-ecr-push.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["jwalton/gh-ecr-push", "*", "input.image", "output.imageUrl", "taint"]
--- a/ql/lib/ext/khan_pull-request-comment-trigger.model.yml
+++ b/ql/lib/ext/khan_pull-request-comment-trigger.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: sourceModel
+    data:
+      - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "issue_comment", ""]
+      - ["khan/pull-request-comment-trigger", "*", "output.comment_body", "pull_request_comment", ""]
--- a/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml
+++ b/ql/lib/ext/larsoner_circleci-artifacts-redirector-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["larsoner/circleci-artifacts-redirector-action", "*", "input.artifact-path", "output.url", "taint"]
--- a/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml
+++ b/ql/lib/ext/mad9000_actions-find-and-replace-string.model.yml
@@ -4,4 +4,4 @@ extensions:
      extensible: summaryModel
    data:
      - ["mad9000/actions-find-and-replace-string", "*", "input.source", "output.value", "taint"]
-      - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"]
+      - ["mad9000/actions-find-and-replace-string", "*", "input.replace", "output.value", "taint"]
--- a/ql/lib/ext/mattdavis0351_actions.model.yml
+++ b/ql/lib/ext/mattdavis0351_actions.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["mattdavis0351/actions", "*", "input.image-name", "output.imageUrl", "taint"]
+      - ["mattdavis0351/actions", "*", "input.tag", "output.imageUrl", "taint"]
--- a/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml
+++ b/ql/lib/ext/metro-digital_setup-tools-for-waas.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["metro-digital/setup-tools-for-waas", "*", "input.gcp_sa_key", "env.GCLOUD_PROJECT", "taint"]
--- a/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml
+++ b/ql/lib/ext/mishakav_pytest-coverage-comment.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["mishakav/pytest-coverage-comment", "*", "input.multiple-files", "output.summaryReport", "taint"]
--- a/ql/lib/ext/mymindstorm_setup-emsdk.model.yml
+++ b/ql/lib/ext/mymindstorm_setup-emsdk.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["mymindstorm/setup-emsdk", "*", "input.actions-cache-folder", "env.EMSDK", "taint"]
--- a/ql/lib/ext/ruby_setup-ruby.model.yml
+++ b/ql/lib/ext/ruby_setup-ruby.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["ruby/setup-ruby", "*", "input.ruby-version", "output.ruby-prefix", "taint"]
--- a/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml
+++ b/ql/lib/ext/salsify_action-detect-and-tag-new-version.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["salsify/action-detect-and-tag-new-version", "*", "input.tag-template", "output.tag", "taint"]
--- a/ql/lib/ext/shallwefootball_upload-s3-action.model.yml
+++ b/ql/lib/ext/shallwefootball_upload-s3-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["shallwefootball/upload-s3-action", "*", "input.destination_dir", "output.object_key", "taint"]
--- a/ql/lib/ext/shogo82148_actions-setup-perl.model.yml
+++ b/ql/lib/ext/shogo82148_actions-setup-perl.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["shogo82148/actions-setup-perl", "*", "input.working-directory", "env.PERL5LIB", "taint"]
--- a/ql/lib/ext/suisei-cn_actions-download-file.model.yml
+++ b/ql/lib/ext/suisei-cn_actions-download-file.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["suisei-cn/actions-download-file", "*", "input.filename", "output.filename", "taint"]
--- a/ql/lib/ext/timheuer_base64-to-file.model.yml
+++ b/ql/lib/ext/timheuer_base64-to-file.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: summaryModel
+    data:
+      - ["timheuer/base64-to-file", "*", "input.fileName", "output.filePath", "taint"]
+      - ["timheuer/base64-to-file", "*", "input.fileDir", "output.filePath", "taint"]
--- a/ql/lib/ext/tzkhan_pr-update-action.model.yml
+++ b/ql/lib/ext/tzkhan_pr-update-action.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: sourceModel
+    data:
+      - ["tzkhan/pr-update-action", "*", "output.headMatch", "pull_request_target", ""]
--- a/ql/lib/ext/xt0rted_slash-command-action.model.yml
+++ b/ql/lib/ext/xt0rted_slash-command-action.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: sourceModel
+    data:
+      - ["xt0rted/slash-command-action", "*", "output.command-arguments", "issue_comment", ""]
+      - ["xt0rted/slash-command-action", "*", "output.command-arguments", "pull_request_comment", ""]