feat(cli): complete actions audit workflow scanner with secrets-in-run and third-party-action rules#437
Draft
Copilot wants to merge 3 commits into
Draft
feat(cli): complete actions audit workflow scanner with secrets-in-run and third-party-action rules#437Copilot wants to merge 3 commits into
actions audit workflow scanner with secrets-in-run and third-party-action rules#437Copilot wants to merge 3 commits into
Conversation
|
Meticulous was unable to execute a test run for this PR because the most recent commit is associated with multiple PRs. To execute a test run, please try pushing up a new commit that is only associated with this PR. Last updated for commit |
Add two missing security audit rules to auditWorkflowContent:
- secrets-in-run (high): detects ${{ secrets.* }} interpolated
directly in `run:` steps (both inline and block styles), which
can leak secret values in GitHub Actions workflow logs.
- third-party-action (low): flags `uses:` references from outside
the set of well-known trusted organisations (actions/, github/,
aws-actions/, azure/, docker/, hashicorp/, google-github-actions/,
slsa-framework/) that are not pinned to an immutable 40-char SHA
digest.
Also adds four new tests for these rules:
- detects secrets interpolated in run steps
- does not flag secrets used in env: blocks
- flags third-party actions not pinned to a SHA
- does not flag trusted-org actions or SHA-pinned actions
Closes #422
…ar regex Address code review feedback: - Track reported third-party actions in a Set to prevent duplicate findings when the same action appears multiple times in a workflow - Tighten block scalar regex from [|>][^\n]* to [|>][-+]?\d*[^\n]* to only match valid YAML block scalar indicators (optional chomping indicator +/- and optional explicit indentation digit)
Copilot
AI
changed the title
[WIP] Add actions audit workflow scanner to sh1pt CLI
feat(cli): complete May 25, 2026
actions audit workflow scanner with secrets-in-run and third-party-action rules
ralyodio
approved these changes
May 25, 2026
vu1nz Security Review0 finding(s) in PR #? No security issues found. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
sh1pt build actions auditwas missing two of the eight security rules called out in the issue. This PR fills the gaps so the scanner covers all requested patterns.New audit rules
secrets-in-run${{ secrets.* }}interpolated directly in arun:step — leaks plaintext into workflow logsthird-party-actionuses:from outside trusted orgs (actions/, github/, aws-actions/, azure/, docker/, hashicorp/, google-github-actions/, slsa-framework/) not pinned to a 40-char SHA digestFull rule coverage after this PR
unpinned-action-branchwrite-all-permissionspull-request-targetcurl-pipe-bash/wget-pipe-bashsecrets-in-run✨missing-permissionsunpinned-docker-imagethird-party-action✨Example
Implementation notes
secrets-in-runregex handles both inline (- run: cmd ${{ secrets.X }}) and YAML block-scalar forms (- run: |\n cmd ${{ secrets.X }})third-party-actiondeduplicates findings per action ref (same action used in multiple jobs only reported once)[|>][-+]?\d*to match only valid YAML chomping/indentation indicators