Skip to content

Commit

Permalink
🐛 Discard GitHub token in dangerous workflow check (#1772)
Browse files Browse the repository at this point in the history
* Discard GitHub token in dangerous workflow check

* missing files
  • Loading branch information
laurentsimon authored Mar 23, 2022
1 parent 66b3d8c commit 2bbbce7
Show file tree
Hide file tree
Showing 4 changed files with 100 additions and 1 deletion.
7 changes: 6 additions & 1 deletion checks/dangerous_workflow.go
Original file line number Diff line number Diff line change
Expand Up @@ -466,8 +466,13 @@ func checkSecretInScript(script string, pos *actionlint.Pos, path string,
return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error())
}

// Note: The default GitHub token is allowed, as it has
// only read permission for `pull_request`.
// For `pull_request_event`, we use other signals such as
// whether checkout action is used.
variable := strings.Trim(script[s:s+e+2], " ")
if strings.Contains(variable, "secrets.") {
if !strings.Contains(variable, "secrets.GITHUB_TOKEN") &&
strings.Contains(variable, "secrets.") {
line := fileparser.GetLineNumber(pos)
dl.Warn(&checker.LogMessage{
Path: path,
Expand Down
22 changes: 22 additions & 0 deletions checks/dangerous_workflow_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,28 @@ func TestGithubDangerousWorkflow(t *testing.T) {
NumberOfDebug: 0,
},
},
{
name: "default secret in pull request",
filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml",
expected: scut.TestReturn{
Error: nil,
Score: checker.MaxResultConfidence,
NumberOfWarn: 0,
NumberOfInfo: 0,
NumberOfDebug: 0,
},
},
{
name: "default secret in pull request target",
filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml",
expected: scut.TestReturn{
Error: nil,
Score: checker.MinResultConfidence,
NumberOfWarn: 1,
NumberOfInfo: 0,
NumberOfDebug: 0,
},
},
{
name: "secret in top env no checkout pull request target",
filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-secret-env-no-checkout-prt.yml",
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Close issue on Jira

on:
pull_request

env:
BLA: ${{ secrets.GITHUB_TOKEN }}

jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
name: Use in env toJson

- uses: some/[email protected]
with:
option: ${{ secrets.GITHUB_TOKEN }}
name: Use secret in args

- name: Use in with toJson
env:
GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "$GITHUB_CONTEXT"
echo "${{ secrets.GITHUB_TOKEN }}"
- name: Use in with toJson
uses: some/[email protected]
env:
GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "$GITHUB_CONTEXT"
echo "${{ secrets.GITHUB_TOKEN }}"
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: Close issue on Jira

on:
pull_request_target

env:
BLA: ${{ secrets.GITHUB_TOKEN }}

jobs:
test1:
runs-on: ubuntu-latest
steps:
- uses: actions/[email protected]
with:
ref: ${{ github.event.pull_request.head.sha }}
name: Use in env toJson

- uses: some/[email protected]
with:
option: ${{ secrets.GITHUB_TOKEN }}
name: Use secret in args

- name: Use in with toJson
env:
GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "$GITHUB_CONTEXT"
echo "${{ secrets.GITHUB_TOKEN }}"
- name: Use in with toJson
uses: some/[email protected]
env:
GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "$GITHUB_CONTEXT"
echo "${{ secrets.GITHUB_TOKEN }}"

0 comments on commit 2bbbce7

Please sign in to comment.