π¨ Runner-Guard Security Finding
Rule: RGS-018 β Suspicious Payload Execution Pattern
Severity: High
Occurrences: 40 across 37 workflows
Description
Workflow run: blocks contain code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes eval+decode chains (e.g., eval(base64.b64decode(...)), base64 --decode | bash), known malware marker variables, persistence file paths, and C2 communication patterns.
These patterns are loaded from Runner Guard's threat signature database, which can be updated independently of the scanner binary. A match against a known IOC indicates active compromise; a match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Impact
If any matched pattern corresponds to an active IOC:
- Runner environment may be compromised
- Secrets could be exfiltrated to attacker-controlled infrastructure
- Subsequent CI builds may be tampered with
- Repository integrity may be at risk
Even if the patterns are legitimate, they represent patterns that are difficult to distinguish from active supply chain attacks and should be reviewed.
Affected Workflows (37)
api-consumption-report, audit-workflows, changeset, ci-coach, cli-version-checker, cloclo, copilot-agent-analysis, copilot-opt, copilot-pr-merged-report, copilot-pr-nlp-analysis, copilot-pr-prompt-analysis, copilot-session-insights, copilot-setup-steps, copilot-token-audit, copilot-token-optimizer, daily-cli-performance, daily-issues-report, daily-news, daily-safe-output-optimizer, daily-sentrux-report, deep-report, discussion-task-miner, go-logger, issue-arborist, org-health-report, prompt-clustering-analysis, safe-output-health, scout, smoke-claude, smoke-codex, smoke-copilot, smoke-copilot-arm, smoke-crush, smoke-gemini, smoke-opencode, smoke-pi, stale-repo-identifier
Remediation
- Audit each flagged
run: block to confirm they do not contain base64-encoded payloads or eval chains that execute external code
- Review
curl | bash patterns β replace with downloading to a file, verifying integrity (SHA256), then executing
- Check for IOC signatures β runner-guard's threat DB flags specific patterns; consult the runner-guard documentation for the matched signature ID
- Avoid obfuscated shell patterns β keep CI scripts readable and auditable
- Pin all external scripts with SHA-256 checksums before execution
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183
Generated by Static Analysis Report Β· β 356.4K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-018 β Suspicious Payload Execution Pattern
Severity: High
Occurrences: 40 across 37 workflows
Description
Workflow
run:blocks contain code patterns associated with obfuscated payload execution or known indicators of compromise (IOCs) from active supply chain attack campaigns. This includes eval+decode chains (e.g.,eval(base64.b64decode(...)),base64 --decode | bash), known malware marker variables, persistence file paths, and C2 communication patterns.These patterns are loaded from Runner Guard's threat signature database, which can be updated independently of the scanner binary. A match against a known IOC indicates active compromise; a match against a dangerous execution pattern indicates susceptibility to this class of supply chain attack.
Impact
If any matched pattern corresponds to an active IOC:
Even if the patterns are legitimate, they represent patterns that are difficult to distinguish from active supply chain attacks and should be reviewed.
Affected Workflows (37)
api-consumption-report,audit-workflows,changeset,ci-coach,cli-version-checker,cloclo,copilot-agent-analysis,copilot-opt,copilot-pr-merged-report,copilot-pr-nlp-analysis,copilot-pr-prompt-analysis,copilot-session-insights,copilot-setup-steps,copilot-token-audit,copilot-token-optimizer,daily-cli-performance,daily-issues-report,daily-news,daily-safe-output-optimizer,daily-sentrux-report,deep-report,discussion-task-miner,go-logger,issue-arborist,org-health-report,prompt-clustering-analysis,safe-output-health,scout,smoke-claude,smoke-codex,smoke-copilot,smoke-copilot-arm,smoke-crush,smoke-gemini,smoke-opencode,smoke-pi,stale-repo-identifierRemediation
run:block to confirm they do not contain base64-encoded payloads or eval chains that execute external codecurl | bashpatterns β replace with downloading to a file, verifying integrity (SHA256), then executingDetected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25303186183