We recently launched analysis capabilities for GitHub Actions workflow files in public preview.
With the release of CodeQL 2.20.5
, we are expanding the analysis capabilities to detect additional types of security risks associated with Actions workflow files and we have adjusted some of the existing queries.
The analysis coverage is improved with the addition of five new queries that identify additional types of security risks associated with Actions workflow files. The new queries are:
actions/envpath-injection/medium
detects situations where user-controlled sources (like the text of a GitHub issue) are used to populate thePATH
environment variable. This could allow an attacker to alter the execution of system commands.actions/envvar-injection/medium
detects situations where environment variables which are not properly sanitized can lead to the injection of additional unwanted variables, using new lines or{delimiters}
.actions/code-injection/medium
– detects situation where user-controlled input can end up in contexts likerun:
orscript:
, leading to malicious code being executed and secrets being leaked.actions/artifact-poisoning/medium
detects situations where artifacts are not correctly extracted, stored and verified, which could result in a poisoned artifact being executed, leading to repository compromise.actions/untrusted-checkout/medium
detects situations where workflows triggered by events likepull_request_target
orissue_comment
can execute arbitrary code from untrusted sources, if followed by an explicit checkout.
Because of its lower precision and the large number of alerts it generates, the query actions/unpinned-tag
has been moved to the security-extended query suite from the default query suite, and all existing alerts for this query will be automatically closed if the security-extended suite is not being used.
Three queries have been removed from the default and security-extended query suites because they do not produce relevant security alerts. Alerts generated by these queries will be closed automatically.
actions/if-expression-always-true/critical
actions/if-expression-always-true/high
actions/unnecessary-use-of-advanced-config
These changes are now available with the release of CodeQL 2.20.5
. For a full list of changes, please refer to the complete changelog for version 2.20.5. Every new version of CodeQL is automatically deployed to users of GitHub code scanning on GitHub.com. The new functionality in CodeQL 2.20.5 will also be included in GitHub Enterprise Server (GHES) version 3.17. If you use an older version of GHES, you can manually upgrade your CodeQL version.