[Actions] Unpinned actions in same organization or same enterprise incorrectly trigger actions/unpinned-tag

[ebickle]

Description of the false positive

The CodeQL rule actions/unpinned-tag (Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.

The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.

Code samples or links to source code

The issue can be reproduced by:

1. Create the repository sample-actions in the same org (or enterprise)
2. Add an action to the sample-actions repository and tag the commit as `v1.
3. In a different repository, add a workflow that references the new action:

   - uses: same-org/sample-actions@v1
   

[ebickle]

As far as I know, CodeQL rules only look at the code - not the operating environment - so fixing this could be tricky. One idea I had is that the rule could be modified to only apply to actions in a 'public' repository. That way the rule would only need to look at public information on GitHub without any need to authenticate with an enterprise or organization.

[bewuethr]

It looks like the query has a hardcoded set of "trusted organizations":

codeql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

Lines 21 to 23 in c95f8d7

	private predicate isTrustedOrg(string repo) {
	repo.matches(["actions", "github", "advanced-security"] + "/%")
	}

If you can figure out how to parametrize your own organization, you could copy that query, modify it to allow your org, exclude the original, and use your modified copy instead?

[dbartol]

That query can now be configured via a data extension.

Here's the data extension YAML file we use to populate the default list. You can modify this to replace the built-in orgs with your own list of trusted orgs, put it in a model pack, and then configure that model pack to be used by all of the repos in your org.

[felickz]

Here is a detailed walkthrough to implement the allow list:

Configuration

If there is an Action publisher that you trust, you can include the owner name/organization in a data extension model pack to add it to the allow list for this query. Adding owners to this list will prevent security alerts when using unpinned tags for Actions published by that owner.

Example

To allow any Action from the publisher octodemo, such as octodemo/3rd-party-action, follow these steps:

1. Create a data extension file /models/trusted-owner.model.yml with the following content:

   extensions:
     - addsTo: 
         pack: codeql/actions-all
         extensible: trustedActionsOwnerDataModel 
       data:
         - ["octodemo"]

2. Create a model pack file /codeql-pack.yml with the following content:

   name: my-org/actions-extensions-model-pack
   version: 0.0.0
   library: true
   extensionTargets:
     codeql/actions-all: '*'
   dataExtensions:
     - models/**/*.yml

3. Ensure that the model pack is included in your CodeQL analysis.

By following these steps, you will add octodemo to the list of trusted Action publishers, and the query will no longer generate security alerts for unpinned tags from this publisher.

References

• Extending CodeQL coverage with CodeQL model packs in default setup
• Creating and working with CodeQL packs

[ebickle]

Fantastic news @dbartol, appreciate the team's hard work on this! Also appreciate the guide you posted @felickz. I got about 70% done today but you beat me to it. Hoping to test and deploy this tomorrow - it should unblock a very large roll out of actions scanning.

[ebickle]

Was able to deploy and everything worked great. Thanks!