π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
Affected Files: docs-noob-tester, unbloat-docs, visual-regression-checker
Total Findings: 4
Description
These workflows contain outbound HTTP request commands (curl, wget) targeting non-GitHub domains in a job context that has access to secrets or publishing capabilities. This pattern is flagged as a potential credential exfiltration vector.
Specifically, these workflows use `curl (localhost/redacted) to check local documentation server readiness. While this is a localhost connection, it is flagged because the workflows also have access to secrets in a context where external actors could influence execution.
Impact
This pattern is a strong indicator of credential exfiltration techniques. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) use outbound HTTP requests to exfiltrate stolen secrets. The combination of external HTTP requests with secrets access in certain workflow trigger contexts is high-confidence risk.
Note: The localhost findings (docs server health checks) are likely false positives. Review each finding carefully to distinguish legitimate operations from genuine risks.
Remediation
- Audit all outbound HTTP requests in affected workflows to confirm they target expected, trusted endpoints only.
- For health-check curl calls to
localhost, add comments documenting the intent:
- name: Wait for server readiness
# runner-guard: localhost health-check only, no secret exposure
run: |
curl -sf (localhost/redacted) > /dev/null
- For any actual external HTTP calls with secrets in scope, consider using GitHub Actions OIDC tokens instead of long-lived secrets.
- Restrict workflow triggers to avoid comment-triggered execution with broad permissions.
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25271149715
Generated by Static Analysis Report Β· β 311.9K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
Affected Files:
docs-noob-tester,unbloat-docs,visual-regression-checkerTotal Findings: 4
Description
These workflows contain outbound HTTP request commands (
curl,wget) targeting non-GitHub domains in a job context that has access to secrets or publishing capabilities. This pattern is flagged as a potential credential exfiltration vector.Specifically, these workflows use `curl (localhost/redacted) to check local documentation server readiness. While this is a localhost connection, it is flagged because the workflows also have access to secrets in a context where external actors could influence execution.
Impact
This pattern is a strong indicator of credential exfiltration techniques. Attackers who achieve code execution in a CI runner (via expression injection, fork checkout, compromised action, etc.) use outbound HTTP requests to exfiltrate stolen secrets. The combination of external HTTP requests with secrets access in certain workflow trigger contexts is high-confidence risk.
Note: The
localhostfindings (docs server health checks) are likely false positives. Review each finding carefully to distinguish legitimate operations from genuine risks.Remediation
localhost, add comments documenting the intent:Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25271149715