feat: add GitHub workflow semgrep rules #12
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| ... | ||
| workflow_run: ... | ||
| ... | ||
| ... |
There was a problem hiding this comment.
Rule missing array and single-value trigger patterns
Medium Severity
The workflow-run-target-code-checkout rule only matches the map form of the on: trigger (on: with indented workflow_run:), but is missing patterns for array form (on: [..., workflow_run, ...]) and single value form (on: workflow_run). The similar pull-request-target-code-checkout rule correctly uses pattern-either with all three forms. This inconsistency means workflows using shorthand trigger syntax won't be scanned for dangerous checkout patterns, potentially missing security vulnerabilities.
| regex: actions/cache@.+ | ||
| paths: | ||
| include: | ||
| - ".github/**/*publish*.yml" No newline at end of file |
There was a problem hiding this comment.
Duplicate rule with less comprehensive pattern coverage
Medium Severity
The diff adds a publish-actions-cache-used rule inside checkout-pr-on-issue-comment.yaml, but a more comprehensive rule with the same ID already exists in publish-actions-cache-used.yaml. The existing rule uses pattern-either to detect both direct actions/cache@... usage AND the cache: option in actions/setup-node@.... The duplicate rule only detects direct cache action usage. This creates conflicting rule definitions and the test file expects both patterns to match (see cache: yarn test case at line 30-31 of the test file), which the new rule cannot satisfy.
| likelihood: MEDIUM | ||
| impact: HIGH | ||
| confidence: MEDIUM | ||
| regex: actions/cache@.+ |
There was a problem hiding this comment.
Stray orphan regex line in semgrep rule file
High Severity
The line regex: actions/cache@.+ at line 52 is orphaned text that doesn't belong in this rule file. It sits between the metadata section (ending with confidence: MEDIUM) and the paths section, with incorrect indentation that doesn't match any valid YAML structure. This appears to be leftover from a copy-paste error or merge conflict from another rule. This will cause the semgrep rule to either fail to parse or behave unexpectedly.
| regex: actions/cache@.+ | ||
| paths: | ||
| include: | ||
| - ".github/**/*publish*.yml" |
There was a problem hiding this comment.
Overly restrictive paths filter limits rule effectiveness
High Severity
The paths filter restricts this rule to only scan files matching .github/**/*publish*.yml. This is a leftover from when the file was copied from publish-actions-cache-used.yaml. The security issue being detected (PR checkout triggered by issue_comment) is a general concern that can occur in any workflow file, not just publish workflows. This causes the rule to miss legitimate security vulnerabilities in non-publish workflow files. All other similar rules in this PR have no such restrictive path filters.
This pull request adds GitHub specific Semgrep rules to the security code scanner. These rules help flag a variety of pitfalls a developer may encounter during development of GitHub workflows
Identical PR to MetaMask/action-security-code-scanner#73
Note
Introduces security-focused Semgrep rules for GitHub Actions with accompanying test workflows.
gh pr checkoutin workflows triggered byissue_comment(checkout-pr-on-issue-comment.yaml)curlfollowed byevalinrunsteps (curl-eval.yaml)githubcontext inactions/github-scriptscript:blocks (github-script-injection.yaml)githubcontext interpolation inrun:shell commands (run-shell-injection.yaml)actions/checkoutof PR code inpull_request_targetworkflows (pull-request-target-code-checkout.yaml)actions/checkoutof external code inworkflow_runworkflows (workflow-run-target-code-checkout.yaml)Includes concise test cases under
rules/test/github-actions/*.test.yamldemonstrating rule hits and safe examples.Written by Cursor Bugbot for commit 070b5c0. This will update automatically on new commits. Configure here.