1818 azure-devops-pipelines :
1919 name : Azure DevOps Pipelines
2020 runs-on : ubuntu-latest
21+ # Require a reviewer to allow the workflow to run when coming from a fork
22+ environment : ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }}
2123 # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
2224 if : |
2325 (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
@@ -40,10 +42,12 @@ jobs:
4042name : Checkout scanner registry
4143 uses : actions/checkout@v4
4244 with :
45+ # Checkout the pull request's code to read the new tests.yaml
4346 fetch-depth : 0 # Need full history to detect changes
44- ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
47+ repository : ${{ github.event.pull_request.head.repo.full_name }}
48+ ref : ${{ github.event.pull_request.head.sha }}
4549 - name : Run Tests
46- uses : boostsecurityio/scan-test-action@ea842b96e9b6cff51a3740c8aca3148790008773
50+ uses : boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f
4751 with :
4852 provider : azure-devops
4953 provider-config : |
@@ -53,13 +57,18 @@ jobs:
5357 "project": "cicd-tools",
5458 "pipeline_id": 1
5559 }
56- registry-repo : " ${{ github.repository_owner }}/${{ github.event.repository.name }}"
57- base-ref : " ${{ github.base_ref }}"
60+ # Target the pull request's code to read the new module.yaml
61+ # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run.
62+ registry-repo : ${{ github.event.pull_request.head.repo.full_name }}
63+ registry-ref : ${{ github.event.pull_request.head.sha }}
64+ base-ref : ${{ github.event.pull_request.base.sha }}
5865 fallback-scanners : " boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
5966 allowed-env-prefixes : " CODEQL_,BOOST_"
6067 bitbucket-action :
6168 name : Bitbucket Pipelines
6269 runs-on : ubuntu-latest
70+ # Require a reviewer to allow the workflow to run when coming from a fork
71+ environment : ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }}
6372 # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
6473 if : |
6574 (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
@@ -79,10 +88,12 @@ jobs:
7988name : Checkout scanner registry
8089 uses : actions/checkout@v4
8190 with :
91+ # Checkout the pull request's code to read the new tests.yaml
8292 fetch-depth : 0 # Need full history to detect changes
83- ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
93+ repository : ${{ github.event.pull_request.head.repo.full_name }}
94+ ref : ${{ github.event.pull_request.head.sha }}
8495 - name : Run Tests
85- uses : boostsecurityio/scan-test-action@ea842b96e9b6cff51a3740c8aca3148790008773
96+ uses : boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f
8697 with :
8798 provider : bitbucket
8899 provider-config : |
@@ -91,14 +102,19 @@ jobs:
91102 "workspace": "boostsecurityio",
92103 "repo_slug": "scan-test-runner-bitbucket-pipelines"
93104 }
94- registry-repo : " ${{ github.repository_owner }}/${{ github.event.repository.name }}"
95- base-ref : " ${{ github.base_ref }}"
105+ # Target the pull request's code to read the new module.yaml
106+ # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run.
107+ registry-repo : ${{ github.event.pull_request.head.repo.full_name }}
108+ registry-ref : ${{ github.event.pull_request.head.sha }}
109+ base-ref : ${{ github.event.pull_request.base.sha }}
96110 fallback-scanners : " boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
97111 allowed-env-prefixes : " CODEQL_,BOOST_"
98112
99113 github-action :
100114 name : Github Actions
101115 runs-on : ubuntu-latest
116+ # Require a reviewer to allow the workflow to run when coming from a fork
117+ environment : ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }}
102118 # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
103119 if : |
104120 (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
@@ -115,10 +131,12 @@ jobs:
115131 - name : Checkout scanner registry
116132 uses : actions/checkout@v4
117133 with :
134+ # Checkout the pull request's code to read the new tests.yaml
118135 fetch-depth : 0 # Need full history to detect changes
119- ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
136+ repository : ${{ github.event.pull_request.head.repo.full_name }}
137+ ref : ${{ github.event.pull_request.head.sha }}
120138 - name : Run Tests
121- uses : boostsecurityio/scan-test-action@ea842b96e9b6cff51a3740c8aca3148790008773
139+ uses : boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f
122140 with :
123141 provider : github-actions
124142 provider-config : |
@@ -128,14 +146,19 @@ jobs:
128146 "repo": "scan-test-runner-gitbub-actions",
129147 "workflow_id": "test-scanner.yml"
130148 }
131- registry-repo : " ${{ github.repository_owner }}/${{ github.event.repository.name }}"
132- base-ref : " ${{ github.base_ref }}"
149+ # Target the pull request's code to read the new module.yaml
150+ # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run.
151+ registry-repo : ${{ github.event.pull_request.head.repo.full_name }}
152+ registry-ref : ${{ github.event.pull_request.head.sha }}
153+ base-ref : ${{ github.event.pull_request.base.sha }}
133154 fallback-scanners : " boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
134155 allowed-env-prefixes : " CODEQL_,BOOST_"
135156
136157 gitlab-ci :
137158 name : Gitlab-CI
138159 runs-on : ubuntu-latest
160+ # Require a reviewer to allow the workflow to run when coming from a fork
161+ environment : ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }}
139162 # Run on pull_request for same-repo PRs, pull_request_target for fork PRs
140163 if : |
141164 (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
@@ -144,10 +167,12 @@ jobs:
144167 - name : Checkout scanner registry
145168 uses : actions/checkout@v4
146169 with :
170+ # Checkout the pull request's code to read the new tests.yaml
147171 fetch-depth : 0 # Need full history to detect changes
148- ref : ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
172+ repository : ${{ github.event.pull_request.head.repo.full_name }}
173+ ref : ${{ github.event.pull_request.head.sha }}
149174 - name : Run Tests
150- uses : boostsecurityio/scan-test-action@ea842b96e9b6cff51a3740c8aca3148790008773
175+ uses : boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f
151176 with :
152177 provider : gitlab-ci
153178 provider-config : |
@@ -156,7 +181,10 @@ jobs:
156181 "api_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_READ_TOKEN }}",
157182 "project_id": "boostsecurityio/scan-test-runner-gitlab-ci"
158183 }
159- registry-repo : " ${{ github.repository_owner }}/${{ github.event.repository.name }}"
160- base-ref : " ${{ github.base_ref }}"
184+ # Target the pull request's code to read the new module.yaml
185+ # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run.
186+ registry-repo : ${{ github.event.pull_request.head.repo.full_name }}
187+ registry-ref : ${{ github.event.pull_request.head.sha }}
188+ base-ref : ${{ github.event.pull_request.base.sha }}
161189 fallback-scanners : " boostsecurityio/trivy-fs,boostsecurityio/trivy-image"
162190 allowed-env-prefixes : " CODEQL_,BOOST_"
0 commit comments