Feature: Fork pull request workflows from outside collaborators #3827
Labels
check/Dangerous-workflow
kind/enhancement
New feature or request
kind/new-check
New check for scorecard
Stale
Comments
|
Is this information available via the REST API? I couldn't find it, and neither could the people in https://github.com/orgs/community/discussions/35808. Also, whenever it's available, it seems like the sort of thing GitHub usually requires an admin token for, so it wouldn't be accessible by outsiders or the Scorecard cronjob. But it would be an interesting check, I agree. |
spencerschrock
added
kind/new-check
|
@josepalafox an API for this setting would be nice to have |
|
Hey @laurentsimon I work with a few of the teams around this area. Wanted to share we have a feature request open for this but don't have additional details to share on a timeframe. |
|
This issue has been marked stale because it has been open for 60 days with no activity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
A GitHub workflow that runs on the pull_request trigger from a fork PR uses the workflow file from the fork, not the PR base.
GitHub supports three options for Fork pull request workflows from outside collaborators:
The default setting is insecure: "Require approval for first-time contributors" as an attacker could send an innocent first time contribution first (e.g. typo fix in a documentation page) and then could trigger workflow executions with overridden actions.
The severity is high when the workflow is executed in a non-ephemeral self-hosted runner environment.
Describe the solution you'd like
I'd like scorecard to emit a finding when this config option is set to anything else but "Require approval for all outside collaborators".
Describe alternatives you've considered
Alternative options to defend against this attack vector are:
The text was updated successfully, but these errors were encountered: