From 3644e98166a3848b29e67ecdfdc487fd64a2e890 Mon Sep 17 00:00:00 2001 From: Gerardo Di Giacomo Date: Thu, 10 Aug 2023 12:32:34 -0700 Subject: [PATCH] add semgrep for github workflows (#9522) add semgrep for GitHub workflows --- .../pull-request-target-code-checkout.yaml | 59 +++++++++++++++++++ .github/workflows/semgrep.yaml | 24 ++++++++ 2 files changed, 83 insertions(+) create mode 100644 .github/linters/semgrep/pull-request-target-code-checkout.yaml create mode 100644 .github/workflows/semgrep.yaml diff --git a/.github/linters/semgrep/pull-request-target-code-checkout.yaml b/.github/linters/semgrep/pull-request-target-code-checkout.yaml new file mode 100644 index 0000000000000..1348d505f6c36 --- /dev/null +++ b/.github/linters/semgrep/pull-request-target-code-checkout.yaml @@ -0,0 +1,59 @@ +rules: + - id: pull-request-target-code-checkout + languages: + - yaml + message: This GitHub Actions workflow file uses `pull_request_target` and checks + out code from the incoming pull request. When using `pull_request_target`, + the Action runs in the context of the target repository, which includes + access to all repository secrets. Please ensure you have `permission-check` + enabled for the jobs that check out code. Please see + https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + for additional mitigations. + metadata: + category: security + owasp: + - A01:2021 - Broken Access Control + cwe: + - "CWE-913: Improper Control of Dynamically-Managed Code Resources" + references: + - https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + - https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md + technology: + - github-actions + subcategory: + - audit + likelihood: MEDIUM + impact: LOW + confidence: MEDIUM + license: Commons Clause License Condition v1.0[LGPL-2.1-only] + vulnerability_class: + - Code Injection + patterns: + - pattern-either: + - pattern-inside: | + on: + ... + pull_request_target: ... + ... + ... + - pattern-inside: | + on: [..., pull_request_target, ...] + ... + - pattern-inside: | + on: pull_request_target + ... + - pattern-inside: | + jobs: + ... + $JOBNAME: + ... + - pattern-not-inside: | + needs: [permission-check] + ... + - pattern: | + ... + uses: "$ACTION" + - metavariable-regex: + metavariable: $ACTION + regex: actions/checkout@.* + severity: WARNING diff --git a/.github/workflows/semgrep.yaml b/.github/workflows/semgrep.yaml new file mode 100644 index 0000000000000..320f35904f60e --- /dev/null +++ b/.github/workflows/semgrep.yaml @@ -0,0 +1,24 @@ +name: Semgrep + +on: + workflow_dispatch: + pull_request: + types: [labeled, opened, synchronize, reopened, auto_merge_enabled] + +jobs: + semgrep: + name: semgrep/ci + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + # Skip any PR created by dependabot to avoid permission issues: + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + - run: semgrep ci + env: + SEMGREP_RULES: >- + ./.github/linters/semgrep/pull-request-target-code-checkout.yaml