feat: fluxgate v0.6.0 — bot TOCTOU detection, dispatch injection, attack correlation

FG-011: New rule detects bot actor guard TOCTOU bypass risk on
pull_request_target and workflow_run triggers. Bot actor guards
(dependabot[bot], renovate[bot]) no longer suppress FG-001 findings
to info — capped at high to reflect TOCTOU bypassability.

FG-002 extended: workflow_dispatch inputs and workflow_call inputs
now detected as injectable expressions (github.event.inputs.*,
inputs.*).

FG-001+FG-002 correlation: post-scan pass merges co-occurring pwn
request and script injection findings into a single enhanced finding
referencing the Ultralytics attack pattern.

Triage prompts added with BoostSecurity attack taxonomy (pipeline
parasitism, transitive action compromise, bot TOCTOU, Shai-Hulud,
Ultralytics chain).

21 rules across 3 platforms, 69 tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: north-echo

README.md

@@ -22,13 +22,40 @@ go install github.com/north-echo/fluxgate/cmd/fluxgate@latest
 
 ## What It Detects
 
+### GitHub Actions (FG-xxx)
+
 | Rule    | Severity | Description |
 |---------|----------|-------------|
 | FG-001  | Critical | Pwn Request: pull_request_target with fork checkout |
-| FG-002  | High     | Script Injection via expression interpolation |
+| FG-002  | High     | Script Injection via expression interpolation (PR context, dispatch inputs, reusable workflow inputs) |
 | FG-003  | Medium   | Tag-based action pinning (mutable references) |
 | FG-004  | Medium   | Overly broad workflow permissions |
 | FG-005  | Low      | Secrets exposed in workflow logs |
+| FG-006  | Medium   | Fork PR code execution via build hooks |
+| FG-007  | Medium   | Inconsistent GITHUB_TOKEN blanking |
+| FG-008  | Critical | OIDC misconfiguration on external triggers |
+| FG-009  | High     | Self-hosted runner on external triggers |
+| FG-010  | High     | Cache poisoning via shared cache on PR workflows |
+| FG-011  | Medium   | Bot actor guard TOCTOU bypass risk |
+
+### GitLab CI (GL-xxx)
+
+| Rule    | Severity | Description |
+|---------|----------|-------------|
+| GL-001  | High     | Merge request pipeline with privileged variables |
+| GL-002  | High     | Script injection via CI predefined variables |
+| GL-003  | Medium   | Unpinned include templates |
+
+### Azure Pipelines (AZ-xxx)
+
+| Rule    | Severity | Description |
+|---------|----------|-------------|
+| AZ-001  | High     | Fork PR builds with secret/variable group exposure |
+| AZ-002  | High     | Script injection via Azure predefined variables |
+| AZ-003  | Medium   | Unpinned template extends and repository resources |
+| AZ-009  | High     | Self-hosted agent pools on PR-triggered pipelines |
+
+**21 rules across 3 CI/CD platforms.**
 
 ## Why This Exists
 

cmd/fluxgate/main.go

@@ -16,7 +16,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var version = "0.5.0"
+var version = "0.6.0"
 
 func main() {
 	rootCmd := &cobra.Command{

internal/report/table.go

@@ -11,7 +11,7 @@ import (
 
 // WriteTable writes findings as a human-readable table.
 func WriteTable(w io.Writer, result *scanner.ScanResult) {
-	fmt.Fprintln(w, "fluxgate v0.5.0 — CI/CD Pipeline Security Gate")
+	fmt.Fprintln(w, "fluxgate v0.6.0 — CI/CD Pipeline Security Gate")
 	fmt.Fprintln(w)
 	fmt.Fprintf(w, "Scanning: %s\n\n", result.Path)
 

internal/scanner/rules.go

@@ -22,6 +22,7 @@ func AllRules() map[string]Rule {
 		"FG-008": CheckOIDCMisconfiguration,
 		"FG-009": CheckSelfHostedRunner,
 		"FG-010": CheckCachePoisoning,
+		"FG-011": CheckBotActorTOCTOU,
 	}
 }
 
@@ -37,6 +38,7 @@ var RuleDescriptions = map[string]string{
 	"FG-008": "OIDC Misconfiguration",
 	"FG-009": "Self-Hosted Runner",
 	"FG-010": "Cache Poisoning",
+	"FG-011": "Bot Actor Guard TOCTOU",
 }
 
 // ExecutionAnalysis captures the result of post-checkout step analysis.
@@ -147,10 +149,16 @@ func CheckPwnRequest(wf *Workflow) []Finding {
 		mitigation := analyzeMitigations(wf, job, checkoutIdx, postCheckoutSteps, checkoutPath)
 		mitigated := false
 
-		if mitigation.ForkGuard || mitigation.ActorGuard {
+		if mitigation.ForkGuard {
 			severity = SeverityInfo
 			confidence = ConfidencePatternOnly
 			mitigated = true
+		} else if mitigation.ActorGuard {
+			// Bot actor guards are bypassable via TOCTOU — cap at high, never suppress
+			if severity == SeverityCritical {
+				severity = SeverityHigh
+			}
+			mitigated = true
 		} else if mitigation.LabelGated && mitigation.EnvironmentGated {
 			severity = downgradeBy(severity, 2)
 			mitigated = true
@@ -368,6 +376,8 @@ func CheckScriptInjection(wf *Workflow) []Finding {
 		"github.event.head_commit.message",
 		"github.head_ref",
 		"github.event.workflow_run.head_branch",
+		"github.event.inputs.",
+		"inputs.",
 	}
 
 	var findings []Finding
@@ -1367,6 +1377,98 @@ func CheckCachePoisoning(wf *Workflow) []Finding {
 	return findings
 }
 
+// CheckBotActorTOCTOU detects workflows where a bot actor guard (e.g.,
+// if: github.actor == 'dependabot[bot]') protects a fork checkout + execution
+// path that may be bypassable via TOCTOU: an attacker updates their PR commit
+// after the bot triggers the workflow but before the runner resolves the SHA (FG-011).
+func CheckBotActorTOCTOU(wf *Workflow) []Finding {
+	if !wf.On.PullRequestTarget && !wf.On.WorkflowRun {
+		return nil
+	}
+
+	var findings []Finding
+	for jobName, job := range wf.Jobs {
+		// Must have a bot actor guard
+		isBot := false
+		if job.If != "" {
+			isBot, _ = containsActorGuard(job.If)
+		}
+		// Also check needs chain for inherited actor guards
+		if !isBot {
+			for _, depName := range job.Needs {
+				if dep, ok := wf.Jobs[depName]; ok {
+					if dep.If != "" {
+						isBot, _ = containsActorGuard(dep.If)
+						if isBot {
+							break
+						}
+					}
+				}
+			}
+		}
+		if !isBot {
+			continue
+		}
+
+		// Must have fork checkout
+		checkoutIdx := -1
+		checkoutPath := ""
+		for i, step := range job.Steps {
+			if isCheckoutAction(step.Uses) && refPointsToPRHead(step.With["ref"]) {
+				checkoutIdx = i
+				checkoutPath = step.With["path"]
+				break
+			}
+		}
+		if checkoutIdx == -1 {
+			continue
+		}
+
+		// Must have post-checkout execution
+		postCheckoutSteps := job.Steps[checkoutIdx+1:]
+		execResult := analyzePostCheckoutExecution(postCheckoutSteps)
+
+		// Also check path isolation — if fork code is isolated and not executed, skip
+		if checkoutPath != "" {
+			hasForkExec := false
+			for _, step := range postCheckoutSteps {
+				if step.Run != "" && referencesForkPath(step.Run, checkoutPath) {
+					hasForkExec = true
+					break
+				}
+			}
+			if !hasForkExec && !execResult.Confirmed && !execResult.Likely {
+				continue
+			}
+		} else if !execResult.Confirmed && !execResult.Likely {
+			continue
+		}
+
+		trigger := "pull_request_target"
+		if !wf.On.PullRequestTarget && wf.On.WorkflowRun {
+			trigger = "workflow_run"
+		}
+
+		msg := fmt.Sprintf(
+			"Bot Actor Guard TOCTOU: job '%s' on %s has bot actor guard with fork checkout + execution — "+
+				"attacker can update PR commit after bot triggers workflow but before runner resolves SHA",
+			jobName, trigger)
+
+		findings = append(findings, Finding{
+			RuleID:   "FG-011",
+			Severity: SeverityMedium,
+			File:     wf.Path,
+			Line:     1,
+			Message:  msg,
+			Details: "Bot-delegated TOCTOU: if: github.actor == 'dependabot[bot]' guards are " +
+				"bypassable when an attacker pushes a new commit between the bot trigger event " +
+				"and the runner's checkout. The workflow runs the attacker's code with the bot's privileges. " +
+				"See BoostSecurity 'Weaponizing Dependabot' research.",
+		})
+	}
+	return findings
+}
+
 // describeTrigger returns a human-readable description of the workflow trigger.
 func describeTrigger(wf *Workflow) string {
 	if wf.On.PullRequestTarget {

internal/scanner/rules_test.go

@@ -218,21 +218,52 @@ func TestMixedWorkflow_MultipleFindings(t *testing.T) {
 	opts := ScanOptions{}
 	findings := ScanWorkflow(wf, opts)
 
-	if len(findings) < 3 {
-		t.Fatalf("expected at least 3 findings for mixed workflow, got %d", len(findings))
+	if len(findings) < 2 {
+		t.Fatalf("expected at least 2 findings for mixed workflow, got %d", len(findings))
 	}
 
 	rulesSeen := map[string]bool{}
 	for _, f := range findings {
 		rulesSeen[f.RuleID] = true
 	}
-	// Should trigger FG-001 (pwn request), FG-002 (script injection),
-	// FG-003 (tag pinning), FG-004 (broad permissions)
-	for _, expected := range []string{"FG-001", "FG-002", "FG-003"} {
+	// FG-001 and FG-002 are correlated into a single merged FG-001 finding
+	// FG-003 (tag pinning) should still fire separately
+	for _, expected := range []string{"FG-001", "FG-003"} {
 		if !rulesSeen[expected] {
 			t.Errorf("expected rule %s to fire on mixed workflow", expected)
 		}
 	}
+	// FG-002 should be absorbed into the merged FG-001
+	if rulesSeen["FG-002"] {
+		t.Error("expected FG-002 to be merged into FG-001 via correlation, but it still appears separately")
+	}
+}
+
+func TestCorrelation_PwnRequestPlusInjection(t *testing.T) {
+	wf := loadFixture(t, "mixed-workflow.yaml")
+	opts := ScanOptions{}
+	findings := ScanWorkflow(wf, opts)
+
+	// Find the correlated FG-001 finding
+	var merged *Finding
+	for i, f := range findings {
+		if f.RuleID == "FG-001" {
+			merged = &findings[i]
+			break
+		}
+	}
+	if merged == nil {
+		t.Fatal("expected merged FG-001 finding")
+	}
+	if merged.Severity != SeverityCritical {
+		t.Errorf("expected critical severity for merged finding, got %s", merged.Severity)
+	}
+	if !strings.Contains(merged.Message, "Ultralytics") {
+		t.Error("expected merged finding to reference Ultralytics pattern")
+	}
+	if !strings.Contains(merged.Details, "FG-001+FG-002") {
+		t.Error("expected merged finding details to mention FG-001+FG-002 correlation")
+	}
 }
 
 // --- FG-001 mitigation tests ---
@@ -356,8 +387,9 @@ func TestCheckPwnRequest_ActorGuardBot(t *testing.T) {
 		t.Fatalf("expected 1 finding, got %d", len(findings))
 	}
 	f := findings[0]
-	if f.Severity != SeverityInfo {
-		t.Errorf("expected info severity for bot actor guard, got %s", f.Severity)
+	// Bot actor guards are TOCTOU-bypassable — cap at high, never suppress to info
+	if f.Severity != SeverityHigh {
+		t.Errorf("expected high severity for bot actor guard (TOCTOU cap), got %s", f.Severity)
 	}
 	if len(f.Mitigations) == 0 {
 		t.Error("expected mitigations to be populated")
@@ -628,6 +660,76 @@ func TestCheckPwnRequest_PathAliasExec(t *testing.T) {
 	}
 }
 
+// --- FG-011 Bot Actor Guard TOCTOU tests ---
+
+func TestCheckBotActorTOCTOU_PRT(t *testing.T) {
+	wf := loadFixture(t, "bot-actor-guard-toctou.yaml")
+	findings := CheckBotActorTOCTOU(wf)
+
+	if len(findings) != 1 {
+		t.Fatalf("expected 1 FG-011 finding, got %d", len(findings))
+	}
+	f := findings[0]
+	if f.RuleID != "FG-011" {
+		t.Errorf("expected FG-011, got %s", f.RuleID)
+	}
+	if f.Severity != SeverityMedium {
+		t.Errorf("expected medium severity, got %s", f.Severity)
+	}
+	if !strings.Contains(f.Message, "pull_request_target") {
+		t.Error("expected message to mention pull_request_target trigger")
+	}
+	if !strings.Contains(f.Message, "TOCTOU") {
+		t.Error("expected message to mention TOCTOU")
+	}
+}
+
+func TestCheckBotActorTOCTOU_WorkflowRun(t *testing.T) {
+	wf := loadFixture(t, "workflow-run-toctou.yaml")
+	findings := CheckBotActorTOCTOU(wf)
+
+	if len(findings) != 1 {
+		t.Fatalf("expected 1 FG-011 finding for workflow_run, got %d", len(findings))
+	}
+	f := findings[0]
+	if f.RuleID != "FG-011" {
+		t.Errorf("expected FG-011, got %s", f.RuleID)
+	}
+	if !strings.Contains(f.Message, "workflow_run") {
+		t.Error("expected message to mention workflow_run trigger")
+	}
+}
+
+func TestCheckBotActorTOCTOU_NoBotGuard(t *testing.T) {
+	// A PRT workflow without actor guard should not fire FG-011
+	wf := loadFixture(t, "pwn-request.yaml")
+	findings := CheckBotActorTOCTOU(wf)
+
+	if len(findings) != 0 {
+		t.Fatalf("expected 0 findings for workflow without bot actor guard, got %d", len(findings))
+	}
+}
+
+// --- FG-002 extension: workflow_dispatch/call injection ---
+
+func TestCheckScriptInjection_DispatchInputs(t *testing.T) {
+	wf := loadFixture(t, "dispatch-injection.yaml")
+	findings := CheckScriptInjection(wf)
+
+	// Should find: inputs.* and github.event.inputs.* (2 pattern matches on the run block)
+	if len(findings) < 2 {
+		t.Fatalf("expected at least 2 injection findings for dispatch inputs, got %d", len(findings))
+	}
+	for _, f := range findings {
+		if f.RuleID != "FG-002" {
+			t.Errorf("expected FG-002, got %s", f.RuleID)
+		}
+		if f.Severity != SeverityHigh {
+			t.Errorf("expected high severity, got %s", f.Severity)
+		}
+	}
+}
+
 func TestRuleFilter(t *testing.T) {
 	wf := loadFixture(t, "mixed-workflow.yaml")
 	opts := ScanOptions{Rules: []string{"FG-002"}}