You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/enterprise-onboarding/github-actions-for-your-enterprise/security-hardening-for-github-actions.md
+1-25Lines changed: 1 addition & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -154,31 +154,7 @@ To help mitigate the risk of an exposed token, consider restricting the assigned
154
154
155
155
## Understanding the risks of untrusted code checkout
156
156
157
-
Similar to script injection attacks, untrusted pull request content that automatically triggers actions processing can also pose a security risk. The `pull_request_target` and `workflow_run` workflow triggers, when used with the checkout of an untrusted pull request, expose the repository to security compromises. These workflows are privileged (i.e. they share the same cache of the main branch with other privileged workflow triggers, may have repository write access and access to referenced secrets), which can be exploited to take over a repository.
158
-
159
-
Review the [`pull_request_target` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) and the [`workflow_run` trigger documentation](/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow-run) for more information on these triggers, how to use them, and the risks associated with them.
160
-
161
-
For additional explanation, examples, and guidance on the risks of untrusted code checkout, see [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://v-securitylab-github-com.jerryabc.cn/research/github-actions-preventing-pwn-requests/) from {% data variables.product.prodname_security %} and the [Dangerous Workflow check documentation](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) from OpenSSF Scorecard.
162
-
163
-
## Good practices for mitigating untrusted code checkout risks
164
-
165
-
There are a number of different approaches available to help you mitigate the risk of untrusted code checkout in actions workflows:
166
-
167
-
### Avoid potentially dangerous workflow triggers
168
-
169
-
Avoid using the `pull_request_target` workflow trigger if not necessary. Prefer using `workflow_run` for privilege separation between workflows as described in [Keeping your {% data variables.product.prodname_actions %} and workflows secure: Preventing pwn requests](https://v-securitylab-github-com.jerryabc.cn/research/github-actions-preventing-pwn-requests). Only use these workflow triggers when the workflow actually needs the privileged context.
170
-
171
-
### Do not use the `pull_request_target` and `workflow_run` workflow triggers with untrusted content
172
-
173
-
Avoid using the `pull_request_target` and `workflow_run` workflow triggers with untrusted pull requests or code content. Workflows that use these triggers must not explicitly checkout untrusted code, including from pull request forks or from repositories that are not under your control. Workflows triggered on `workflow_run` should treat artifacts uploaded from other workflows with caution (i.e. as untrusted).
174
-
175
-
### Use CodeQL to detect potentially vulnerable workflows
176
-
177
-
[CodeQL](/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql) can scan and detect potentially vulnerable {% data variables.product.prodname_actions %} workflows. [Configure the default setup for CodeQL](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning) for the repository and ensure that {% data variables.product.prodname_actions %} scanning is enabled.
178
-
179
-
### Use OpenSSF Scorecards to detect potentially vulnerable workflows
180
-
181
-
[OpenSSF Scorecards](#use-openssf-scorecards-to-detect-potentially-vulnerable-workflows) can help you identify potentially vulnerable workflows, along with other security risks when using {% data variables.product.prodname_actions %}.
157
+
Untrusted pull request content that automatically triggers actions processing can also pose a security risk. For more information, see [AUTOTITLE](/actions/reference/security/secure-use).
182
158
183
159
## Managing permissions for {% data variables.product.prodname_actions %} settings in your organization
0 commit comments