Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16 workflows (1,388 total instances)
Description
Workflows triggered by issue_comment, pull_request_review_comment, or workflow_run events access secrets or have write permissions, but do not verify the comment author's authorization level before executing privileged operations.
The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association (e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.
Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. This is the most prevalent finding in this repository with 1,388 instances across 16 workflows.
Remediation
Add an author association check at the start of the job:
Or use a dedicated authorization action that validates team membership.
Affected Workflows
ace-editor, ai-moderator, archie, brave, cloclo, dev-hawk, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs
Fix Prompt for Copilot Agent
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24855618439
Generated by Static Analysis Report · ● 341K · ◷
Rule: RGS-004 — Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Affected Workflows: 16 workflows (1,388 total instances)
Description
Workflows triggered by
issue_comment,pull_request_review_comment, orworkflow_runevents access secrets or have write permissions, but do not verify the comment author's authorization level before executing privileged operations.The
issue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association(e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. This is the most prevalent finding in this repository with 1,388 instances across 16 workflows.
Remediation
Add an author association check at the start of the job:
Or use a dedicated authorization action that validates team membership.
Affected Workflows
ace-editor, ai-moderator, archie, brave, cloclo, dev-hawk, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs
Fix Prompt for Copilot Agent
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24855618439