π¨ Runner-Guard Security Finding
Rule: RGS-004 β Comment-Triggered Workflow Without Author Authorization Check
Severity: High
File: .github/workflows/brave.lock.yml
Occurrences: 1590 across 17 workflows
Description
Workflows triggered by issue_comment, pull_request_review_comment, or workflow_run events access secrets or have write permissions, but do not verify the comment author's authorization level before executing privileged operations.
The issue_comment event fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check on github.event.comment.author_association (e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.
Affected Workflows (17 total)
brave.lock.yml (most occurrences)ace-editor.lock.ymlai-moderator.lock.ymlarchie.lock.ymlcloclo.lock.ymldev-hawk.lock.ymlgrumpy-reviewer.lock.ymlmergefest.lock.ymlpdf-summary.lock.ymlplan.lock.ymlpr-code-quality-reviewer.lock.ymlpr-nitpick-reviewer.lock.ymlq.lock.ymlscout.lock.ymlsecurity-review.lock.ymltidy.lock.ymlunbloat-docs.lock.yml
Impact
If a workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users who post comments. This is a high-confidence indicator that the workflow could be exploited to exfiltrate secrets or perform unauthorized operations.
Remediation
Add an authorization check early in the workflow that verifies github.event.comment.author_association is one of OWNER, MEMBER, or COLLABORATOR before proceeding with any privileged operations:
- name: Check author authorization
id: check_auth
uses: actions/github-script@v9
with:
script: |
const assoc = context.payload.comment?.author_association;
const allowed = ['OWNER', 'MEMBER', 'COLLABORATOR'];
if (!allowed.includes(assoc)) {
core.setFailed(`Unauthorized: comment author association is '${assoc}'`);
}
Note: Some workflows (like tidy.lock.yml) already include a check_membership step. If team-membership is verified via API, runner-guard may still flag it because it cannot reason about multi-step authorization flows. Review each workflow to confirm whether authorization is already enforced before acting.
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25538644099
Generated by Static Analysis Report Β· β 438.8K Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-004 β Comment-Triggered Workflow Without Author Authorization Check
Severity: High
File:
.github/workflows/brave.lock.ymlOccurrences: 1590 across 17 workflows
Description
Workflows triggered by
issue_comment,pull_request_review_comment, orworkflow_runevents access secrets or have write permissions, but do not verify the comment author's authorization level before executing privileged operations.The
issue_commentevent fires for comments from ANY GitHub user, including those with no affiliation to the repository. Without an explicit check ongithub.event.comment.author_association(e.g., requiring OWNER, MEMBER, or COLLABORATOR), any external user can trigger the workflow by posting a comment on any open issue or pull request.Affected Workflows (17 total)
brave.lock.yml(most occurrences)ace-editor.lock.ymlai-moderator.lock.ymlarchie.lock.ymlcloclo.lock.ymldev-hawk.lock.ymlgrumpy-reviewer.lock.ymlmergefest.lock.ymlpdf-summary.lock.ymlplan.lock.ymlpr-code-quality-reviewer.lock.ymlpr-nitpick-reviewer.lock.ymlq.lock.ymlscout.lock.ymlsecurity-review.lock.ymltidy.lock.ymlunbloat-docs.lock.ymlImpact
If a workflow accesses secrets, performs deployments, or has write permissions, this effectively grants those privileges to arbitrary external users who post comments. This is a high-confidence indicator that the workflow could be exploited to exfiltrate secrets or perform unauthorized operations.
Remediation
Add an authorization check early in the workflow that verifies
github.event.comment.author_associationis one ofOWNER,MEMBER, orCOLLABORATORbefore proceeding with any privileged operations:Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/25538644099