Analysis roadmap

[woodruffw]

• [ ] Auditing of action definitions (i.e. action.yml)
• [ ] Accidental credential persistence
  • [x] "ArtiPACKED"
• [x] Insecure/fundamentally dangerous workflow triggers
  • [x] pull_request_target
  • [x] workflow_run: #33
• [x] Insecure/excessive permissions
• [ ] Self-hosted runners/runner escapes
• [ ] Cache poisoning
• [x] Impostor commits
• [x] Ref confusion (e.g. branch/tag confusion)
• [x] Bad practices for third-party actions
  • [x] Using pypa/gh-action-pypi-publish without trusted publishing
  • [x] Using rubygems/release-gem without trusted publishing
• [x] Hardcoded container/service credentials
• [ ] Suggest upgrades for common 3p workflows, e.g. gh-action-pypi-publish@master should be @release/v1.
  • [ ] See #59
• [ ] Out-of-date Dependabot version comments
• [ ] Unpinned actions (this should probably be pedantic only)
• [ ] Bad YAML string/int conversions (these will be annoying to detect, since we'd need to go back up to the original span to see if the deserialized form diverges)
  • [ ] https://github.com/dtolnay/rust-toolchain/issues/112
• [x] #36
  • [ ] https://osv.dev/list?q=&ecosystem=GitHub+Actions

[woodruffw]

Self-hosted runners are fundamentally insecure when not run ephemerally, but there's no great way to detect this statically. So we'll likely need to make that check a pedantic-only one.

[woodruffw]

Code injection should also detect things like https://securitylab.github.com/advisories/GHSL-2024-169_Arduino-ESP32/, i.e. detect expression expansion inside of actions like actions/github-script.