Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
Affected Workflows: 37 workflows (40 total instances)
Description
Runner-Guard detected code patterns in run: blocks associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes:
eval+decode chains (e.g., eval(base64.b64decode(...)), base64 --decode | bash)- Known malware marker variables
- Persistence file paths
- C2 communication patterns
A match against a known IOC indicates active compromise; a match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Impact
These patterns can indicate:
- Active compromise if matched against known IOC signatures
- Susceptibility to supply chain attacks that inject malicious payloads via similar patterns
- Non-reproducible builds due to dynamic code execution
Affected Workflows
View all 37 affected workflows
- go-logger, agentic-optimization-kit, api-consumption-report, audit-workflows
- changeset, ci-coach, cli-version-checker, cloclo, copilot-agent-analysis
- copilot-opt, copilot-pr-merged-report, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis
- copilot-session-insights, copilot-setup-steps, copilot-token-audit, copilot-token-optimizer
- daily-cli-performance, daily-issues-report, daily-news, daily-safe-output-optimizer
- deep-report, delight, discussion-task-miner, issue-arborist, org-health-report
- prompt-clustering-analysis, safe-output-health, scout, smoke-claude, smoke-codex
- smoke-copilot-arm, smoke-copilot, smoke-crush, smoke-gemini, smoke-opencode
- stale-repo-identifier
Remediation
- Review each flagged
run: block to identify the specific pattern triggering the rule
- If the pattern involves
base64 decode chains, refactor to use direct script references instead of inline encoded scripts
- Replace any eval+decode patterns with explicit script files checked into the repository
- If the flag is a false positive (e.g., legitimate use of base64 for config encoding), add a
# runner-guard:ignore RGS-018 comment with justification
- For patterns involving curl|bash, see also RGS-006
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24855618439
Generated by Static Analysis Report · ● 341K · ◷
Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
Affected Workflows: 37 workflows (40 total instances)
Description
Runner-Guard detected code patterns in
run:blocks associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes:eval+decodechains (e.g.,eval(base64.b64decode(...)),base64 --decode | bash)A match against a known IOC indicates active compromise; a match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Impact
These patterns can indicate:
Affected Workflows
View all 37 affected workflows
Remediation
run:block to identify the specific pattern triggering the rulebase64decode chains, refactor to use direct script references instead of inline encoded scripts# runner-guard:ignore RGS-018comment with justificationDetected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24855618439