diff --git a/checks/evaluation/dangerous_workflow.go b/checks/evaluation/dangerous_workflow.go index 9abdeebdda2..0972855c3f9 100644 --- a/checks/evaluation/dangerous_workflow.go +++ b/checks/evaluation/dangerous_workflow.go @@ -19,6 +19,7 @@ import ( sce "github.com/ossf/scorecard/v4/errors" "github.com/ossf/scorecard/v4/finding" "github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowScriptInjection" + "github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowTrigger" "github.com/ossf/scorecard/v4/probes/hasDangerousWorkflowUntrustedCheckout" ) @@ -28,6 +29,7 @@ func DangerousWorkflow(name string, ) checker.CheckResult { expectedProbes := []string{ hasDangerousWorkflowScriptInjection.Probe, + hasDangerousWorkflowTrigger.Probe, hasDangerousWorkflowUntrustedCheckout.Probe, } @@ -58,7 +60,8 @@ func DangerousWorkflow(name string, } } - if hasDWWithUntrustedCheckout(findings) || hasDWWithScriptInjection(findings) { + if hasDWWithUntrustedCheckout(findings) || hasDWWithScriptInjection(findings) || + hasDWWithWorkflowRunTrigger(findings) { return checker.CreateMinScoreResult(name, "dangerous workflow patterns detected") } @@ -101,3 +104,15 @@ func hasDWWithScriptInjection(findings []finding.Finding) bool { } return false } + +func hasDWWithWorkflowRunTrigger(findings []finding.Finding) bool { + for i := range findings { + f := &findings[i] + if f.Probe == hasDangerousWorkflowTrigger.Probe { + if f.Outcome == finding.OutcomeNegative { + return true + } + } + } + return false +} diff --git a/probes/entries.go b/probes/entries.go index 0cd576852c0..27c53b49fb7 100644 --- a/probes/entries.go +++ b/probes/entries.go @@ -177,6 +177,7 @@ var ( hasOSVVulnerabilities.Probe: hasOSVVulnerabilities.Run, sastToolRunsOnAllCommits.Probe: sastToolRunsOnAllCommits.Run, hasDangerousWorkflowScriptInjection.Probe: hasDangerousWorkflowScriptInjection.Run, + hasDangerousWorkflowTrigger.Probe: hasDangerousWorkflowTrigger.Run, hasDangerousWorkflowUntrustedCheckout.Probe: hasDangerousWorkflowUntrustedCheckout.Run, notArchived.Probe: notArchived.Run, hasRecentCommits.Probe: hasRecentCommits.Run, @@ -212,6 +213,7 @@ var ( hasOSVVulnerabilities.Probe: "Vulnerabilities", sastToolRunsOnAllCommits.Probe: "SAST", hasDangerousWorkflowScriptInjection.Probe: "Dangerous-Workflow", + hasDangerousWorkflowTrigger.Probe: "Dangerous-Workflow", hasDangerousWorkflowUntrustedCheckout.Probe: "Dangerous-Workflow", notArchived.Probe: "Maintained", hasRecentCommits.Probe: "Maintained",