Commit Graph

67 Commits

Author SHA1 Message Date
Paolo Tranquilli
b67644c127 Merge pull request #21986 from JarLob/userpermissions
Actions: Fix dominates() false positive in reusable workflows
2026-06-25 14:44:17 +02:00
Paolo Tranquilli
4b8cb3ffac Fix false negative for branching nested reusable workflows
The previous fix required all outermost callers of a reusable workflow to
be protected, which collapsed distinct safe/unsafe inner paths that share
the same outermost caller. Track protection per caller chain instead: a
node inside a reusable workflow is only considered protected if there is
no unprotected caller path up to an outer workflow.

Adds a branching nested regression test where one inner job is protected
by a permission check and a sibling inner job is not.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-06-24 18:22:01 +02:00
Jaroslav Lobačevski
e2347a5c7d Fix for independent checks 2026-06-23 11:52:11 +00:00
Jaroslav Lobačevski
2d6feb1255 Fix false negatives when one of the jobs had proper checks and the other didn't 2026-06-18 12:02:56 +00:00
Henry Mercer
1d11151135 Merge rc/3.22 into main 2026-06-17 10:41:44 +01:00
Jaroslav Lobačevski
d51a9a3e1a Support nested reusable workflows 2026-06-15 06:52:13 +00:00
Jaroslav Lobačevski
2eed6c1736 Fix dominates() false positive in reusable workflows 2026-06-15 05:42:59 +00:00
Jaroslav Lobačevski
eedef515f7 Updated regex. Added test and change note. 2026-06-12 07:50:02 +00:00
Henry Mercer
f4dc86e645 Correct query metadata for actions/untrusted-checkout/medium 2026-06-04 19:12:02 +01:00
Kristen Newbury
5503140318 Merge branch 'main' into knewbury01/adjust-actions-queries-untrusted-checkout-second-iteration 2026-05-21 10:49:36 -04:00
Kristen Newbury
a094a8e460 Fix merge conflicts 2026-05-21 10:48:24 -04:00
Owen Mansel-Chan
2280955136 Merge pull request #21800 from knewbury01/knewbury01/adjust-actions-queries-untrusted-checkout-critical-alert
Actions: Adjust alert location UntrustedCheckoutCritical
2026-05-21 12:40:29 +01:00
Owen Mansel-Chan
ad69cfb721 Merge pull request #21838 from github/copilot/widen-regex-for-pinned-actions
Align `alphaNumericRegex()` with the documented grouped SHA pattern
2026-05-18 17:35:27 +01:00
Óscar San José
8a199f963d Merge pull request #21692 from github/copilot/update-codeql-query-for-composite-actions
Extend `actions/unpinned-tag` to analyze composite action metadata (`action.yml` / `action.yaml`)
2026-05-18 12:17:13 +02:00
Kristen Newbury
3eaf04ef72 Fix expected files for changes to alert messages UntrustedCheckoutCritical and UntrustedCheckoutHigh 2026-05-14 15:05:08 -04:00
Owen Mansel-Chan
2067113177 Update expected test output 2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
ef1bde7565 Widen pinned SHA regex to support SHA-256 (64-char hex) and add tests 2026-05-12 22:40:03 +01:00
Kristen Newbury
3f44a23cf2 Adjust alert location UntrustedCheckoutCritical 2026-05-05 13:35:52 -04:00
Óscar San José
e598c56c64 update and fix tests 2026-04-20 12:38:06 +02:00
Jeroen Ketema
888d392040 Merge pull request #21636 from jketema/actions-perm
Actions: Correctly check reusable workflow permissions in `actions/missing-workflow-permissions`
2026-04-10 15:02:36 +02:00
copilot-swe-agent[bot]
ec12035ac2 Extend unpinned-tag query to scan composite action metadata
Agent-Logs-Url: https://github.com/github/codeql/sessions/c52790be-00f6-4250-b46b-38c05365ddd7

Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com>
2026-04-10 11:20:36 +00:00
Kristen Newbury
7b7411f7df Change alert location CWE-829/ArtifactPoisoning queries 2026-04-08 08:57:45 -04:00
Kristen Newbury
41714656ec Adjust alert messages actions CWE-829 2026-04-02 11:58:58 -04:00
Jeroen Ketema
47409d1c59 Actions: Update expected test results 2026-04-02 15:43:49 +02:00
Jeroen Ketema
5866bcc881 Actions: Add FP test for actions/missing-workflow-permissions 2026-04-02 15:41:41 +02:00
Chris Smowton
9018401722 Add test 2026-01-23 15:37:40 +00:00
Chris Smowton
6c2e0f7658 Move library tests into subdirectory 2026-01-23 15:35:25 +00:00
Owen Mansel-Chan
f6bdb3a126 Fix filtering of code injection alerts between medium and critical 2025-12-04 16:50:34 +00:00
Owen Mansel-Chan
e2acd1b668 Add test with push and workflow_dispatch triggers
This is based on push.yml, and it should still be found by
actions/code-injection/medium, but it isn't.
2025-12-04 16:50:33 +00:00
Henry Mercer
5310469d69 Actions: Update SecretExfiltration output for typo fix 2025-10-14 11:33:01 +01:00
Adnan Khan
07598e8b62 Add test results. 2025-07-11 05:59:13 +00:00
AdnaneKhan
1b794e056a Add extra test suggested by @Napalys 2025-07-10 12:24:36 -04:00
Adnan Khan
e40e4c3856 Remove unneeded test file. 2025-07-09 23:06:18 -04:00
Adnan Khan
db954d6d9f Merge branch 'main' into patch-1 2025-07-08 23:31:35 -07:00
Jaroslav Lobačevski
9393181c4e Add tests and path normalization fix to handle $ expansion 2025-07-08 16:18:12 +00:00
AdnaneKhan
5d6a5d5cbb Add change notes and test workflow file. 2025-07-08 10:35:39 -04:00
Aditya Sharad
2ecbecbd4b Actions: Add stress test for complex command and string interpolation
Anonymised version of a customer report that led to
performance bottlenecks in Bash parsing.
No results are expected from both query and library tests.
2025-06-09 09:29:15 -07:00
Neil Mendum
1a1c9b4ea4 actions: add some missing permissions 2025-05-14 17:28:54 +01:00
yoff
80ae8794f5 actions: update test expectations 2025-04-01 17:07:57 +02:00
yoff
bd7c684c6c actions: add test with empty permissions 2025-04-01 17:06:32 +02:00
yoff
e7bb47f335 ruby: add MaD model for permissions needed by actions
Use this to suggest minimal set of nedded permissions
2025-03-31 16:48:37 +02:00
Jaroslav Lobačevski
5f63fc2048 Fix potentially privileged pull request medium query 2025-03-20 20:23:07 +00:00
Andrew Eisenberg
2a0e133768 Move UnversionedImmutableAction.ql to experimental
This query will give too many false positives for users until
immutable actions is released.
2025-03-06 15:08:02 -08:00
Dave Bartolomeo
2dde9ab6b9 Move immutable-actions-list pack to codeql org 2025-02-27 12:30:11 -05:00
Dave Bartolomeo
86c5d9f1cd Move list of immutable actions into internal model pack for now. 2025-02-27 11:48:27 -05:00
martincostello
31913c4a55 Fix test
Fix failing test.
2025-02-14 19:46:46 +00:00
Martin Costello
9a29cebe58 Fix docker SHA false positive
Fix false positives for pinned Docker container images.
2025-02-14 12:35:55 +00:00
Dave Bartolomeo
42562b5187 Merge pull request #18704 from github/dbartol/actions-suites
Actions: Move experimental queries to `experimental` directory
2025-02-07 10:03:31 -05:00
Dave Bartolomeo
e2ab65ea3e Update qlref paths 2025-02-06 11:20:19 -05:00
Asger F
4ec84e9327 Actions: update expected output 2025-02-05 13:36:38 +01:00