github · KyFaSt · Feb 21, 2025 · Feb 21, 2025 · Feb 21, 2025 · Feb 21, 2025
@@ -6,7 +6,7 @@
  * @kind path-problem
  * @problem.severity warning
  * @precision high
- * @security-severity 7.5
+ * @security-severity 0.0
  * @id actions/untrusted-checkout-issue-comment/critical
  * @tags actions
  *       security
@@ -52,4 +52,4 @@ where
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
 select poisonable, checkout, poisonable,
-  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()
+  "Potential execution of untrusted code on a privileged workflow ($@).", event, event.getName()
@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @precision high
- * @security-severity 7.5
+ * @security-severity 0.0
  * @id actions/untrusted-checkout-issue-comment/high
  * @tags actions
  *       security
@@ -26,5 +26,5 @@ where
   inPrivilegedContext(checkout, event) and
   event.getName() = issueCommentTriggers() and
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
-select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@).", event,
   event.getName()
@@ -0,0 +1,5 @@
+## 0.6.0
+
+### Major Analysis Improvements
+
+* Moved the trigger `issueComment` in the actions/untrusted-checkout-high (CWE-829) and actions/untrusted-checkout-critical (CWE-829) queries to separate queries (actions/untrusted-checkout-issue-comment-high and actions/untrusted-checkout-issue-comment-critical) because while they are vulnerable to the same attack, they do not have the same resolution. Further work is needed to make this trigger safer to use.