π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File: .github/workflows/daily-fact.lock.yml
Line: 489
Description
A run: block contains an outbound HTTP request command targeting a non-GitHub domain in a job context that has access to secrets or publishing capabilities. Specifically, the daily-fact workflow issues a curl call to an external endpoint (detected as reaching `(127.0.0.1/redacted) β a locally-bound MCP server), while also having access to secrets.
Runner-guard flagged this because the pattern is structurally identical to credential exfiltration β the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution (via expression injection, fork checkout, or compromised action) exfiltrate secrets via HTTP POST requests to attacker-controlled domains.
# Flagged pattern in daily-fact.lock.yml:489
- name: Setup jq utilities directory
run: "mkdir -p /tmp/gh-aw\ncat > /tmp/gh-aw/jqschema.sh << 'EOF'\n..."
The daily-fact workflow also makes outbound HTTP calls to verify that a local MemPalace MCP server is running (`curl -sf (127.0.0.1/redacted) in a context that has access to secrets.
Impact
If an attacker gains code execution in this workflow runner (via expression injection, supply chain compromise, or untrusted fork checkout):
- The established HTTP request infrastructure can be repurposed to exfiltrate
ANTHROPIC_API_KEY or other secrets
- The outbound HTTP pattern provides a ready-made exfiltration channel
- GitHub's log masking cannot prevent secrets captured via outbound HTTP channels
Remediation
- Audit the MCP server initialization step in
daily-fact to ensure the outbound curl check only contacts localhost and cannot be redirected to external endpoints via environment variable injection
- Restrict network egress using the workflow firewall to block outbound connections to non-GitHub endpoints during setup steps
- Verify that no user-controlled data can influence the URL or request body of the
curl calls
- Consider restricting the workflow trigger β if
daily-fact can be triggered by untrusted events, tighten the trigger conditions
Detected by runner-guard β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24908473129
Generated by Static Analysis Report Β· β 396.5K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File:
.github/workflows/daily-fact.lock.ymlLine: 489
Description
A
run:block contains an outbound HTTP request command targeting a non-GitHub domain in a job context that has access to secrets or publishing capabilities. Specifically, thedaily-factworkflow issues acurlcall to an external endpoint (detected as reaching `(127.0.0.1/redacted) β a locally-bound MCP server), while also having access to secrets.Runner-guard flagged this because the pattern is structurally identical to credential exfiltration β the primary objective of most GitHub Actions supply-chain attacks. Attackers who achieve code execution (via expression injection, fork checkout, or compromised action) exfiltrate secrets via HTTP POST requests to attacker-controlled domains.
The
daily-factworkflow also makes outbound HTTP calls to verify that a local MemPalace MCP server is running (`curl -sf (127.0.0.1/redacted) in a context that has access to secrets.Impact
If an attacker gains code execution in this workflow runner (via expression injection, supply chain compromise, or untrusted fork checkout):
ANTHROPIC_API_KEYor other secretsRemediation
daily-factto ensure the outboundcurlcheck only contacts localhost and cannot be redirected to external endpoints via environment variable injectioncurlcallsdaily-factcan be triggered by untrusted events, tighten the trigger conditionsDetected by runner-guard β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/24908473129