diff --git a/checks/dangerous_workflow.go b/checks/dangerous_workflow.go index 005a2c19353..f9a0e342137 100644 --- a/checks/dangerous_workflow.go +++ b/checks/dangerous_workflow.go @@ -466,8 +466,13 @@ func checkSecretInScript(script string, pos *actionlint.Pos, path string, return sce.WithMessage(sce.ErrScorecardInternal, errInvalidGitHubWorkflow.Error()) } + // Note: The default GitHub token is allowed, as it has + // only read permission for `pull_request`. + // For `pull_request_event`, we use other signals such as + // whether checkout action is used. variable := strings.Trim(script[s:s+e+2], " ") - if strings.Contains(variable, "secrets.") { + if !strings.Contains(variable, "secrets.GITHUB_TOKEN") && + strings.Contains(variable, "secrets.") { line := fileparser.GetLineNumber(pos) dl.Warn(&checker.LogMessage{ Path: path, diff --git a/checks/dangerous_workflow_test.go b/checks/dangerous_workflow_test.go index 065dae30ebc..fc2e018faaf 100644 --- a/checks/dangerous_workflow_test.go +++ b/checks/dangerous_workflow_test.go @@ -241,6 +241,28 @@ func TestGithubDangerousWorkflow(t *testing.T) { NumberOfDebug: 0, }, }, + { + name: "default secret in pull request", + filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml", + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultConfidence, + NumberOfWarn: 0, + NumberOfInfo: 0, + NumberOfDebug: 0, + }, + }, + { + name: "default secret in pull request target", + filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml", + expected: scut.TestReturn{ + Error: nil, + Score: checker.MinResultConfidence, + NumberOfWarn: 1, + NumberOfInfo: 0, + NumberOfDebug: 0, + }, + }, { name: "secret in top env no checkout pull request target", filename: "./testdata/.github/workflows/github-workflow-dangerous-pattern-secret-env-no-checkout-prt.yml", diff --git a/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml new file mode 100644 index 00000000000..9e927e8a00c --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-pr.yml @@ -0,0 +1,36 @@ +name: Close issue on Jira + +on: + pull_request + +env: + BLA: ${{ secrets.GITHUB_TOKEN }} + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1.2.3 + with: + ref: ${{ github.event.pull_request.head.sha }} + name: Use in env toJson + + - uses: some/action@v1.2.3 + with: + option: ${{ secrets.GITHUB_TOKEN }} + name: Use secret in args + + - name: Use in with toJson + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" + + - name: Use in with toJson + uses: some/action@v1.2.3 + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" diff --git a/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml new file mode 100644 index 00000000000..28e185b57cb --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-dangerous-pattern-default-secret-prt.yml @@ -0,0 +1,36 @@ +name: Close issue on Jira + +on: + pull_request_target + +env: + BLA: ${{ secrets.GITHUB_TOKEN }} + +jobs: + test1: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1.2.3 + with: + ref: ${{ github.event.pull_request.head.sha }} + name: Use in env toJson + + - uses: some/action@v1.2.3 + with: + option: ${{ secrets.GITHUB_TOKEN }} + name: Use secret in args + + - name: Use in with toJson + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}" + + - name: Use in with toJson + uses: some/action@v1.2.3 + env: + GITHUB_CONTEXT: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GITHUB_CONTEXT" + echo "${{ secrets.GITHUB_TOKEN }}"