Paolo Tranquilli
b67644c127
Merge pull request #21986 from JarLob/userpermissions
...
Actions: Fix dominates() false positive in reusable workflows
2026-06-25 14:44:17 +02:00
Paolo Tranquilli
4b8cb3ffac
Fix false negative for branching nested reusable workflows
...
The previous fix required all outermost callers of a reusable workflow to
be protected, which collapsed distinct safe/unsafe inner paths that share
the same outermost caller. Track protection per caller chain instead: a
node inside a reusable workflow is only considered protected if there is
no unprotected caller path up to an outer workflow.
Adds a branching nested regression test where one inner job is protected
by a permission check and a sibling inner job is not.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com >
2026-06-24 18:22:01 +02:00
Jaroslav Lobačevski
e2347a5c7d
Fix for independent checks
2026-06-23 11:52:11 +00:00
Jaroslav Lobačevski
2d6feb1255
Fix false negatives when one of the jobs had proper checks and the other didn't
2026-06-18 12:02:56 +00:00
Henry Mercer
1d11151135
Merge rc/3.22 into main
2026-06-17 10:41:44 +01:00
Jaroslav Lobačevski
d51a9a3e1a
Support nested reusable workflows
2026-06-15 06:52:13 +00:00
Jaroslav Lobačevski
2eed6c1736
Fix dominates() false positive in reusable workflows
2026-06-15 05:42:59 +00:00
Jaroslav Lobačevski
eedef515f7
Updated regex. Added test and change note.
2026-06-12 07:50:02 +00:00
Henry Mercer
f4dc86e645
Correct query metadata for actions/untrusted-checkout/medium
2026-06-04 19:12:02 +01:00
Kristen Newbury
5503140318
Merge branch 'main' into knewbury01/adjust-actions-queries-untrusted-checkout-second-iteration
2026-05-21 10:49:36 -04:00
Kristen Newbury
a094a8e460
Fix merge conflicts
2026-05-21 10:48:24 -04:00
Owen Mansel-Chan
2280955136
Merge pull request #21800 from knewbury01/knewbury01/adjust-actions-queries-untrusted-checkout-critical-alert
...
Actions: Adjust alert location UntrustedCheckoutCritical
2026-05-21 12:40:29 +01:00
Owen Mansel-Chan
ad69cfb721
Merge pull request #21838 from github/copilot/widen-regex-for-pinned-actions
...
Align `alphaNumericRegex()` with the documented grouped SHA pattern
2026-05-18 17:35:27 +01:00
Óscar San José
8a199f963d
Merge pull request #21692 from github/copilot/update-codeql-query-for-composite-actions
...
Extend `actions/unpinned-tag` to analyze composite action metadata (`action.yml` / `action.yaml`)
2026-05-18 12:17:13 +02:00
Kristen Newbury
3eaf04ef72
Fix expected files for changes to alert messages UntrustedCheckoutCritical and UntrustedCheckoutHigh
2026-05-14 15:05:08 -04:00
Owen Mansel-Chan
2067113177
Update expected test output
2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
ef1bde7565
Widen pinned SHA regex to support SHA-256 (64-char hex) and add tests
2026-05-12 22:40:03 +01:00
Kristen Newbury
3f44a23cf2
Adjust alert location UntrustedCheckoutCritical
2026-05-05 13:35:52 -04:00
Óscar San José
e598c56c64
update and fix tests
2026-04-20 12:38:06 +02:00
Jeroen Ketema
888d392040
Merge pull request #21636 from jketema/actions-perm
...
Actions: Correctly check reusable workflow permissions in `actions/missing-workflow-permissions`
2026-04-10 15:02:36 +02:00
copilot-swe-agent[bot]
ec12035ac2
Extend unpinned-tag query to scan composite action metadata
...
Agent-Logs-Url: https://github.com/github/codeql/sessions/c52790be-00f6-4250-b46b-38c05365ddd7
Co-authored-by: oscarsj <1410188+oscarsj@users.noreply.github.com >
2026-04-10 11:20:36 +00:00
Kristen Newbury
7b7411f7df
Change alert location CWE-829/ArtifactPoisoning queries
2026-04-08 08:57:45 -04:00
Kristen Newbury
41714656ec
Adjust alert messages actions CWE-829
2026-04-02 11:58:58 -04:00
Jeroen Ketema
47409d1c59
Actions: Update expected test results
2026-04-02 15:43:49 +02:00
Jeroen Ketema
5866bcc881
Actions: Add FP test for actions/missing-workflow-permissions
2026-04-02 15:41:41 +02:00
Chris Smowton
9018401722
Add test
2026-01-23 15:37:40 +00:00
Chris Smowton
6c2e0f7658
Move library tests into subdirectory
2026-01-23 15:35:25 +00:00
Owen Mansel-Chan
f6bdb3a126
Fix filtering of code injection alerts between medium and critical
2025-12-04 16:50:34 +00:00
Owen Mansel-Chan
e2acd1b668
Add test with push and workflow_dispatch triggers
...
This is based on push.yml, and it should still be found by
actions/code-injection/medium, but it isn't.
2025-12-04 16:50:33 +00:00
Henry Mercer
5310469d69
Actions: Update SecretExfiltration output for typo fix
2025-10-14 11:33:01 +01:00
Adnan Khan
07598e8b62
Add test results.
2025-07-11 05:59:13 +00:00
AdnaneKhan
1b794e056a
Add extra test suggested by @Napalys
2025-07-10 12:24:36 -04:00
Adnan Khan
e40e4c3856
Remove unneeded test file.
2025-07-09 23:06:18 -04:00
Adnan Khan
db954d6d9f
Merge branch 'main' into patch-1
2025-07-08 23:31:35 -07:00
Jaroslav Lobačevski
9393181c4e
Add tests and path normalization fix to handle $ expansion
2025-07-08 16:18:12 +00:00
AdnaneKhan
5d6a5d5cbb
Add change notes and test workflow file.
2025-07-08 10:35:39 -04:00
Aditya Sharad
2ecbecbd4b
Actions: Add stress test for complex command and string interpolation
...
Anonymised version of a customer report that led to
performance bottlenecks in Bash parsing.
No results are expected from both query and library tests.
2025-06-09 09:29:15 -07:00
Neil Mendum
1a1c9b4ea4
actions: add some missing permissions
2025-05-14 17:28:54 +01:00
yoff
80ae8794f5
actions: update test expectations
2025-04-01 17:07:57 +02:00
yoff
bd7c684c6c
actions: add test with empty permissions
2025-04-01 17:06:32 +02:00
yoff
e7bb47f335
ruby: add MaD model for permissions needed by actions
...
Use this to suggest minimal set of nedded permissions
2025-03-31 16:48:37 +02:00
Jaroslav Lobačevski
5f63fc2048
Fix potentially privileged pull request medium query
2025-03-20 20:23:07 +00:00
Andrew Eisenberg
2a0e133768
Move UnversionedImmutableAction.ql to experimental
...
This query will give too many false positives for users until
immutable actions is released.
2025-03-06 15:08:02 -08:00
Dave Bartolomeo
2dde9ab6b9
Move immutable-actions-list pack to codeql org
2025-02-27 12:30:11 -05:00
Dave Bartolomeo
86c5d9f1cd
Move list of immutable actions into internal model pack for now.
2025-02-27 11:48:27 -05:00
martincostello
31913c4a55
Fix test
...
Fix failing test.
2025-02-14 19:46:46 +00:00
Martin Costello
9a29cebe58
Fix docker SHA false positive
...
Fix false positives for pinned Docker container images.
2025-02-14 12:35:55 +00:00
Dave Bartolomeo
42562b5187
Merge pull request #18704 from github/dbartol/actions-suites
...
Actions: Move experimental queries to `experimental` directory
2025-02-07 10:03:31 -05:00
Dave Bartolomeo
e2ab65ea3e
Update qlref paths
2025-02-06 11:20:19 -05:00
Asger F
4ec84e9327
Actions: update expected output
2025-02-05 13:36:38 +01:00