search

guacsec / guac

GUAC aggregates software security metadata into a high fidelity graph database.
https://guac.sh
Apache License 2.0
1.29k stars 176 forks source link

zizmor audit for nightly release workflow #2270

Closed funnelfiasco closed 6 days ago

funnelfiasco commented 2 weeks ago 
🌈 completed nightly-release.yaml
warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/nightly-release.yaml:42:9
   |
42 |         - name: Checkout code
   |  _________-
43 | |         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v3
   | |________________________________________________________________________________- does not set persist-credentials: false
   |
   = note: audit confidence β†’ Low

help[template-injection]: code injection via template expansion
   --> .github/workflows/nightly-release.yaml:52:9
    |
 52 |         - name: Refresh nightly tag
    |           ------------------------- help: this step
 53 |           uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 54 |           with:
 55 |             github-token: ${{ steps.app-token.outputs.token }}
 56 |             script: |
    |  ___________-
 57 | | 
...   |
100 | |             })
101 | |             console.log(result)
    | |________________________________- help: env.NIGHTLY_RELEASE_TAG may expand into attacker-controllable code
    |
    = note: audit confidence β†’ High

help[template-injection]: code injection via template expansion
   --> .github/workflows/nightly-release.yaml:52:9
    |
 52 |         - name: Refresh nightly tag
    |           ------------------------- help: this step
 53 |           uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 54 |           with:
 55 |             github-token: ${{ steps.app-token.outputs.token }}
 56 |             script: |
    |  ___________-
 57 | | 
...   |
100 | |             })
101 | |             console.log(result)
    | |________________________________- help: env.NIGHTLY_RELEASE_TAG may expand into attacker-controllable code
    |
    = note: audit confidence β†’ High

help[template-injection]: code injection via template expansion
   --> .github/workflows/nightly-release.yaml:52:9
    |
 52 |         - name: Refresh nightly tag
    |           ------------------------- help: this step
 53 |           uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
 54 |           with:
 55 |             github-token: ${{ steps.app-token.outputs.token }}
 56 |             script: |
    |  ___________-
 57 | | 
...   |
100 | |             })
101 | |             console.log(result)
    | |________________________________- help: env.NIGHTLY_RELEASE_TAG may expand into attacker-controllable code
    |
    = note: audit confidence β†’ High

4 findings (0 ignored): 0 unknown, 0 informational, 3 low, 1 medium, 0 high