Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add semgrep for github workflows #9522

Merged
merged 5 commits into from
Aug 10, 2023
Merged

add semgrep for github workflows #9522

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c9340bc
add semgrep for github workflows
gedigi Aug 7, 2023
fbbeefc
Update semgrep.yaml
gedigi Aug 7, 2023
2a3546e
temp remove permission-check to test semgrep
gedigi Aug 8, 2023
d9bbe02
revert workflow changes
gedigi Aug 8, 2023
b76f8b7
Update semgrep.yaml
gedigi Aug 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions .github/linters/semgrep/pull-request-target-code-checkout.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
rules:
- id: pull-request-target-code-checkout
languages:
- yaml
message: This GitHub Actions workflow file uses `pull_request_target` and checks
out code from the incoming pull request. When using `pull_request_target`,
the Action runs in the context of the target repository, which includes
access to all repository secrets. Please ensure you have `permission-check`
enabled for the jobs that check out code. Please see
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
for additional mitigations.
metadata:
category: security
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-913: Improper Control of Dynamically-Managed Code Resources"
references:
- https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
- https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md
technology:
- github-actions
subcategory:
- audit
likelihood: MEDIUM
impact: LOW
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
patterns:
- pattern-either:
- pattern-inside: |
on:
...
pull_request_target: ...
...
...
- pattern-inside: |
on: [..., pull_request_target, ...]
...
- pattern-inside: |
on: pull_request_target
...
- pattern-inside: |
jobs:
...
$JOBNAME:
...
- pattern-not-inside: |
needs: [permission-check]
...
- pattern: |
...
uses: "$ACTION"
- metavariable-regex:
metavariable: $ACTION
regex: actions/checkout@.*
severity: WARNING
25 changes: 25 additions & 0 deletions .github/workflows/semgrep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Semgrep

on:
workflow_dispatch:
push:
paths:
- '.github/**'

jobs:
semgrep:
name: semgrep/ci
runs-on: ubuntu-latest

container:
image: returntocorp/semgrep

# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')

steps:
- uses: actions/checkout@v3
- run: semgrep ci
env:
SEMGREP_RULES: >-
./.github/linters/semgrep/pull-request-target-code-checkout.yaml