File tree Expand file tree Collapse file tree 2 files changed +58
-0
lines changed Expand file tree Collapse file tree 2 files changed +58
-0
lines changed Original file line number Diff line number Diff line change 1+ name : Scan GitHub Action workflows files for security issues
2+
3+ on :
4+ pull_request : {}
5+ workflow_dispatch : {}
6+ push :
7+ paths :
8+ - ' .github/workflows/**.ya?ml'
9+
10+ permissions :
11+ contents : read
12+ security-events : write
13+
14+ jobs :
15+ semgrep :
16+ name : semgrep-oss/scan
17+ runs-on : ubuntu-latest
18+
19+ container :
20+ image : semgrep/semgrep
21+
22+ # Skip any PR created by dependabot to avoid permission issues:
23+ if : (github.actor != 'dependabot[bot]')
24+
25+ steps :
26+ - name : Checkout Code
27+ uses : actions/checkout@v4
28+
29+
30+ - name : Run Actions semgrep scan
31+ run : semgrep scan --sarif --config semgrep-rules/actions >> semgrep-results-actions.sarif
32+
33+ - name : Save Actions SARIF results as artifact
34+ uses : actions/upload-artifact@v4
35+ with :
36+ name : semgrep-scan-results-actions
37+ path : semgrep-results-actions.sarif
38+
39+ - name : Upload Actions SARIF result to the GitHub Security Dashboard
40+ uses : github/codeql-action/upload-sarif@v3
41+ with :
42+ sarif_file : semgrep-results-actions.sarif
43+ if : always()
Original file line number Diff line number Diff line change 1+ rules :
2+ - id : pull-request-target-needs-exception
3+ languages :
4+ - yaml
5+ severity : WARNING
6+ message : pull_request_target for Google repos is only approved by exception.
7+ metadata :
8+ category : best-practice
9+ technology :
10+ - github-actions
11+ patterns :
12+ - pattern-either :
13+ - patterns :
14+ - pattern-inside : " {on: ...}"
15+ - pattern : pull_request_target
You can’t perform that action at this time.
0 commit comments