hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-03 09:40:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
766 Commits 1,673 Branches 157 Tags
5bf02e73ea2ab7cc8e12ef8fd784df1a183f007a
Commit Graph

766 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Kylie Stradley
5bf02e73ea Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql 
Co-authored-by: Alvaro Muñoz <pwntester@github.com>
 2024-11-04 11:30:29 -05:00
Kylie Stradley
40ec9d623d update existing tests to accomdate for trips from octokit2 example added to support unversioned immutable action ql 2024-10-24 16:55:44 -04:00
Kylie Stradley
030c08e5ae update expected from example originating from main branch merge 2024-10-24 16:54:27 -04:00
Kylie Stradley
f716222801 remove octokit from trusted orgs for now - reduce PR scope 2024-10-24 16:27:53 -04:00
Kylie Stradley
f8be8e768f Merge branch 'master' into immutable-actions 2024-10-24 15:25:31 -04:00
Kylie Stradley
df0c1e28e7 stub out qlhelp 2024-10-23 21:49:43 -04:00
Kylie Stradley
1c6d346f53 change ql message 2024-10-23 21:24:12 -04:00
Kylie Stradley
c9b1cd2c02 add workflow to catch some ineligible wildcards and eligible latest version for immutable actions 2024-10-23 21:18:04 -04:00
Alvaro Muñoz
dbcf113546 Bump qlpack versions 2024-10-23 22:04:01 +02:00
Alvaro Muñoz
b6a26e76d4 New azure models 2024-10-23 22:03:11 +02:00
Alvaro Muñoz
ae6309daf6 Account for tar -C option to specify path 2024-10-23 22:02:58 +02:00
Alvaro Muñoz
674afc5edd Improve labelgate accuracy 2024-10-23 15:48:42 +02:00
Alvaro Muñoz
9a0795cc75 Bump qlpack versions 2024-10-23 12:16:32 +02:00
Alvaro Muñoz
43211d3286 Update tests 2024-10-23 12:16:02 +02:00
Alvaro Muñoz
315ffdff8d Improve env var injection sanitizers 2024-10-23 12:15:54 +02:00
Alvaro Muñoz
fef37b6025 Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers 2024-10-23 12:15:26 +02:00
Alvaro Muñoz
c9bb42a46c Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data 2024-10-23 12:14:20 +02:00
Alvaro Muñoz
6298f2520e Bump qlpack versions 2024-10-23 10:37:33 +02:00
Alvaro Muñoz
d1d92ae68a Create getATriggerEvent for Steps and refactor the code to use it 2024-10-23 10:13:20 +02:00
Alvaro Muñoz
b2a3aaacfd Bump qlpack versions 2024-10-23 09:40:25 +02:00
Alvaro Muñoz
a057b9dd44 Add poisonable step for azure/powershell 2024-10-23 09:39:34 +02:00
Alvaro Muñoz
0738a66380 Add trigger event checks for all checkout models 2024-10-23 09:37:01 +02:00
Alvaro Muñoz
0cacb6feaf Bump qlpack versions 2024-10-22 22:42:51 +02:00
Alvaro Muñoz
42d4bb577c Better identification of checkout of untrusted code depending on the triggering events 2024-10-22 22:42:11 +02:00
Alvaro Muñoz
8f350d9068 Merge pull request #104 from github/new_gh_sources 
New gh CLI sources
 2024-10-22 21:36:19 +02:00
Alvaro Muñoz
02c5f74f20 New gh CLI sources 2024-10-22 14:57:59 +02:00
Alvaro Muñoz
54338f4f35 Bump qlpack versions 2024-10-22 11:19:48 +02:00
Alvaro Muñoz
9a7e33bf3f Merge pull request #103 from github/new_events 
Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events
 2024-10-22 11:19:13 +02:00
Alvaro Muñoz
da10ee74d3 Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events 2024-10-22 11:18:42 +02:00
Kylie Stradley
023e8cbe3e factor semver to separate function 2024-10-21 20:59:42 -04:00
Alvaro Muñoz
6dbbfa9672 Bump qlpack versions 2024-10-21 12:12:37 +02:00
Alvaro Muñoz
229d42b515 Add sonar-scanner-action as a poisonable step 2024-10-21 11:05:06 +02:00
Alvaro Muñoz
fc5a6703b3 Add github.event.sender.login as an Actor source 2024-10-19 17:01:47 +02:00
Alvaro Muñoz
e03ba55812 Account for checkout path on Untrusted Checkout Critical 2024-10-19 17:01:29 +02:00
Kylie Stradley
2d5cd1a61a WIP. todo: modify help text in query to be helpful, write qlhelp file, find out how to not release to customers 2024-10-18 16:51:31 -04:00
Kylie Stradley
e5508343b1 update unpinned actions tag test 2024-10-18 15:21:33 -04:00
Kylie Stradley
cf9b853a8f unversioned immutable actions wip 2024-10-17 16:14:03 -04:00
Kylie Stradley
325727ed6d recommend to add octokit to trusted orgs 2024-10-17 15:59:45 -04:00
Alvaro Muñoz
7cba2e07bc Bump qlpack versions 2024-10-17 21:40:40 +02:00
Alvaro Muñoz
c44c3bae9f Update tests 2024-10-17 21:39:58 +02:00
Alvaro Muñoz
8323819504 New sources for octokit/request-action 2024-10-17 15:51:00 +02:00
Alvaro Muñoz
a1047d155c Add new control checks using octokit/request-action 2024-10-17 14:48:53 +02:00
Alvaro Muñoz
6bf3eb79a9 Add sh as a bash-compatible POSIX shell 2024-10-17 10:44:43 +02:00
Alvaro Muñoz
b072cfa1f7 Add pwsh as the default shell for windows runners 2024-10-17 10:40:33 +02:00
Alvaro Muñoz
09f1fd1a81 Bump qlpack versions 2024-10-16 11:48:19 +02:00
Alvaro Muñoz
c5c3cd1726 Clean imports 2024-10-16 11:47:35 +02:00
Alvaro Muñoz
b49cd3b916 Better handling of EnvVar Injection and Argument Injection 2024-10-16 08:48:32 +02:00
Alvaro Muñoz
e2e1dddb36 Move arg injection sinks to ShellScript class 2024-10-15 09:48:01 +02:00
Alvaro Muñoz
2e5379f289 Update expected tests 2024-10-14 15:10:31 +02:00
Alvaro Muñoz
ff17d1dcb1 Add CmdI test 2024-10-14 12:50:11 +02:00