[New Rule] GitHub Actions Bot Pushed to Repository for First Time #5437
Description
Adds detection when github-actions[bot] pushes to a repository where it hasn't pushed before within the last 7 days. When a workflow runs, GitHub automatically provisions a GITHUB_TOKEN with permissions to push code—malicious packages exploit this by executing during CI (via npm preinstall hooks) and using the token to inject backdoor workflow files into the repository. This is the technique used in Shai-Hulud 2.0, where the malware pushed discussion_*.yaml files to establish persistence via self-hosted runners and exfiltrate secrets.
event.dataset: "github.audit" and
event.action: "git.push" and
user.name: "github-actions[bot]"
NOTE: Due to the potential noise of this, New Terms on the GitHub Org ID (considering forks) and Repo name should limit this to 1. Being that the automation CI/CD likely happens often, if this is not a one-off occurrence, these will be ignored due to New Terms.
