π¨ Runner-Guard Security Finding
Rule: RGS-004 β Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Occurrences: 1,476 across 16 workflows
Description
Workflows triggered by issue_comment, pull_request_review_comment, or workflow_run events access secrets or have write permissions but do not verify the comment author's authorization level before executing privileged operations.
The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association, any external user can trigger the workflow by posting a comment on any open issue or pull request.
Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. This is a complete authorization bypass that could allow:
- Unauthorized secret access
- Arbitrary code execution with repository write permissions
- Unauthorized deployments
- Privilege escalation via OIDC token generation
Affected Workflows (16)
ace-editor, ai-moderator, archie, brave, cloclo, dev-hawk, grumpy-reviewer, mergefest, pdf-summary, plan, pr-nitpick-reviewer, q, scout, security-review, tidy, unbloat-docs
Remediation
Add an author_association check to the if: condition of all jobs in affected workflows:
# Before (vulnerable):
jobs:
process-comment:
if: contains(github.event.comment.body, '/command')
runs-on: ubuntu-latest
# After (fixed):
jobs:
process-comment:
if: |
contains(github.event.comment.body, '/command') &&
(github.event.comment.author_association == 'OWNER' ||
github.event.comment.author_association == 'MEMBER' ||
github.event.comment.author_association == 'COLLABORATOR')
runs-on: ubuntu-latestAlternatively, verify authorization in a dedicated first job and use needs: to gate subsequent jobs.
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183
Generated by Static Analysis Report Β· β 356.4K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-004 β Comment-Triggered Workflow Without Author Authorization Check
Severity: High
Occurrences: 1,476 across 16 workflows
Description
Workflows triggered by
issue_comment,pull_request_review_comment, orworkflow_runevents access secrets or have write permissions but do not verify the comment author's authorization level before executing privileged operations.The
issue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association, any external user can trigger the workflow by posting a comment on any open issue or pull request.Impact
If the workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users. This is a complete authorization bypass that could allow:
Affected Workflows (16)
ace-editor,ai-moderator,archie,brave,cloclo,dev-hawk,grumpy-reviewer,mergefest,pdf-summary,plan,pr-nitpick-reviewer,q,scout,security-review,tidy,unbloat-docsRemediation
Add an
author_associationcheck to theif:condition of all jobs in affected workflows:Alternatively, verify authorization in a dedicated first job and use
needs:to gate subsequent jobs.Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183