Repo sync

content/code-security/code-scanning/managing-your-code-scanning-configuration/github-actions-built-in-queries.md

@@ -0,0 +1,23 @@
+---
+title: GitHub Actions queries for CodeQL analysis
+shortTitle: GitHub Actions queries
+intro: 'Explore the queries that {% data variables.product.prodname_codeql %} uses to analyze workflows used by {% data variables.product.prodname_actions %} when you select the `default` or the `security-extended` query suite.'
+product: '{% data reusables.gated-features.codeql %}'
+allowTitleToDifferFromFilename: true
+versions:
+  fpt: '*'
+  ghes: '*'
+  ghec: '*'
+type: reference
+topics:
+  - Code scanning
+  - CodeQL
+---
+
+{% data variables.product.prodname_codeql %} includes many queries for analyzing workflows used by {% data variables.product.prodname_actions %}. {% data reusables.code-scanning.codeql-query-tables.query-suite-behavior %}
+
+## Built-in queries for workflow analysis
+
+{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
+
+{% data reusables.code-scanning.codeql-query-tables.actions %}

content/code-security/code-scanning/managing-your-code-scanning-configuration/index.md

@@ -21,6 +21,7 @@ children:
   - /viewing-code-scanning-logs
   - /c-cpp-built-in-queries
   - /csharp-built-in-queries
+  - /github-actions-built-in-queries
   - /go-built-in-queries
   - /java-kotlin-built-in-queries
   - /javascript-typescript-built-in-queries

content/rest/using-the-rest-api/rate-limits-for-the-rest-api.md

@@ -48,6 +48,12 @@ You can use a {% data variables.product.pat_generic %} to make API requests. Add
 
 All of these requests count towards your personal rate limit of 5,000 requests per hour. Requests made on your behalf by a {% data variables.product.prodname_github_app %} that is owned by a {% data variables.product.prodname_ghe_cloud %} organization have a higher rate limit of 15,000 requests per hour. Similarly, requests made on your behalf by a {% data variables.product.prodname_oauth_app %} that is owned or approved by a {% data variables.product.prodname_ghe_cloud %} organization have a higher rate limit of 15,000 requests per hour if you are a member of the {% data variables.product.prodname_ghe_cloud %} organization.
 
+### Primary rate limit for Git LFS access
+
+API requests are required when you upload or download Git LFS content. These count towards a separate rate limiting bucket with a limit of 300 requests per minute for unauthenticated requests and 3,000 requests per minute for authenticated requests.
+
+Git LFS uses a batch API which processes 100 Git LFS objects per API request by default. That means unauthenticated users can download 30,000 Git LFS objects per minute and authenticated users can upload/download 300,000 Git LFS objects per minute.
+
 ### Primary rate limit for {% data variables.product.prodname_github_app %} installations
 
 {% data variables.product.prodname_github_apps %} authenticating with an installation access token use the installation's minimum rate limit of 5,000 requests per hour. If the installation is on a {% data variables.product.prodname_ghe_cloud %} organization, the installation has a rate limit of 15,000 requests per hour.

data/reusables/code-scanning/codeql-query-tables/actions.md

@@ -0,0 +1,29 @@
+{% rowheaders %}
+
+| Query name | Related CWEs | Default | Extended | {% data variables.product.prodname_copilot_autofix_short %} |
+| --- | --- | --- | --- | --- |
+| [Artifact poisoning](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-critical/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Cache Poisoning via caching of untrusted files](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-direct-cache/) | 349 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Cache Poisoning via execution of untrusted code](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-poisonable-step/) | 349 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Cache Poisoning via low-privileged code injection](https://codeql.github.com/codeql-query-help/actions/actions-cache-poisoning-code-injection/) | 349, 094 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Checkout of untrusted code in a privileged context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-critical/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Checkout of untrusted code in trusted context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-high/) | 829 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Code injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-critical/) | 094, 095, 116 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) | 077, 020 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Excessive Secrets Exposure](https://codeql.github.com/codeql-query-help/actions/actions-excessive-secrets-exposure/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Improper Access Control](https://codeql.github.com/codeql-query-help/actions/actions-improper-access-control/) | 285 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [PATH environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-critical/) | 077, 020 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Storage of sensitive information in GitHub Actions artifact](https://codeql.github.com/codeql-query-help/actions/actions-secrets-in-artifacts/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Unmasked Secret Exposure](https://codeql.github.com/codeql-query-help/actions/actions-unmasked-secret-exposure/) | 312 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Untrusted Checkout TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-high/) | 367 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Untrusted Checkout TOCTOU](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-toctou-critical/) | 367 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Use of a known vulnerable action](https://codeql.github.com/codeql-query-help/actions/actions-vulnerable-action/) | 1395 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Workflow does not contain permissions](https://codeql.github.com/codeql-query-help/actions/actions-missing-workflow-permissions/) | 275 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Artifact poisoning](https://codeql.github.com/codeql-query-help/actions/actions-artifact-poisoning-medium/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Checkout of untrusted code in trusted context](https://codeql.github.com/codeql-query-help/actions/actions-untrusted-checkout-medium/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Code injection](https://codeql.github.com/codeql-query-help/actions/actions-code-injection-medium/) | 094, 095, 116 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-medium/) | 077, 020 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [PATH environment variable built from user-controlled sources](https://codeql.github.com/codeql-query-help/actions/actions-envpath-injection-medium/) | 077, 020 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Unpinned tag for a non-immutable Action in workflow](https://codeql.github.com/codeql-query-help/actions/actions-unpinned-tag/) | 829 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+
+{% endrowheaders %}

data/reusables/code-scanning/codeql-query-tables/cpp.md

@@ -4,7 +4,7 @@
 | --- | --- | --- | --- | --- |
 | [Bad check for overflow of integer addition](https://codeql.github.com/codeql-query-help/cpp/cpp-bad-addition-overflow-check/) | 190, 192 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Badly bounded write](https://codeql.github.com/codeql-query-help/cpp/cpp-badly-bounded-write/) | 120, 787, 805 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
-| [Call to `memset` may be deleted](https://codeql.github.com/codeql-query-help/cpp/cpp-memset-may-be-deleted/) | 14 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
+| [Call to `memset` may be deleted](https://codeql.github.com/codeql-query-help/cpp/cpp-memset-may-be-deleted/) | 014 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Call to alloca in a loop](https://codeql.github.com/codeql-query-help/cpp/cpp-alloca-in-loop/) | 770 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Call to function with fewer arguments than declared parameters](https://codeql.github.com/codeql-query-help/cpp/cpp-too-few-arguments/) | 234, 685 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Cast between HRESULT and a Boolean type](https://codeql.github.com/codeql-query-help/cpp/cpp-hresult-boolean-conversion/) | 253 | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
@@ -56,7 +56,7 @@
 | [Authentication bypass by spoofing](https://codeql.github.com/codeql-query-help/cpp/cpp-user-controlled-bypass/) | 290 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
 | [boost::asio TLS settings misconfiguration](https://codeql.github.com/codeql-query-help/cpp/cpp-boost-tls-settings-misconfiguration/) | 326 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [boost::asio use of deprecated hardcoded protocol](https://codeql.github.com/codeql-query-help/cpp/cpp-boost-use-of-deprecated-hardcoded-security-protocol/) | 327 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
-| [Call to memory access function may overflow buffer](https://codeql.github.com/codeql-query-help/cpp/cpp-overflow-buffer/) | 119, 121, 122, 126 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "x" aria-label="Not included" %} |
+| [Call to memory access function may overflow buffer](https://codeql.github.com/codeql-query-help/cpp/cpp-overflow-buffer/) | 119, 121, 122, 126 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Certificate not checked](https://codeql.github.com/codeql-query-help/cpp/cpp-certificate-not-checked/) | 295 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Certificate result conflation](https://codeql.github.com/codeql-query-help/cpp/cpp-certificate-result-conflation/) | 295 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |
 | [Cleartext storage of sensitive information in an SQLite database](https://codeql.github.com/codeql-query-help/cpp/cpp-cleartext-storage-database/) | 313 | {% octicon "x" aria-label="Not included" %} | {% octicon "check" aria-label="Included" %} | {% octicon "check" aria-label="Included" %} |