Feature: Fork pull request workflows from outside collaborators #3827
Labels
check/Dangerous-workflow
kind/enhancement
New feature or request
kind/new-check
New check for scorecard
Stale
Is your feature request related to a problem? Please describe.
A GitHub workflow that runs on the pull_request trigger from a fork PR uses the workflow file from the fork, not the PR base.
GitHub supports three options for Fork pull request workflows from outside collaborators:
The default setting is insecure: "Require approval for first-time contributors" as an attacker could send an innocent first time contribution first (e.g. typo fix in a documentation page) and then could trigger workflow executions with overridden actions.
The severity is high when the workflow is executed in a non-ephemeral self-hosted runner environment.
Describe the solution you'd like
I'd like scorecard to emit a finding when this config option is set to anything else but "Require approval for all outside collaborators".
Describe alternatives you've considered
Alternative options to defend against this attack vector are:
The text was updated successfully, but these errors were encountered: