Conversation
Fix languages mixed
…#3783) * Add GHA supply chain security rules (mutable-action-tag, pwn-request) github-actions-mutable-action-tag (WARNING / CWE-1104): - Detects non-SHA-pinned uses: references via pattern-regex with negative lookahead for 40-char hex SHA. Catches all mutable refs including tagged versions, branches, and 'latest'. Validated against 853 peer-vendor repos (6,147 findings, 0 SHA-pinned false positives). - Motivated by TeamPCP campaign where trivy-action@0.29.0 and kics-github-action@master were repointed to malicious commits. gha-pwn-request-fork-checkout (ERROR / CWE-829): - Detects pull_request_target + fork-controlled checkout ref combination (the "Pwn Request" attack pattern). Uses pattern-inside for trigger detection + metavariable-regex for fork ref forms. - Confirmed TPs: sigstore/community (CRITICAL, PULUMI_ACCESS_TOKEN), jfrog/jfrog-cli (HIGH), SonarSource/official-images (HIGH). Both ported from semgrep/semgrep-rules-jsonnet PRs #10484 and #10485 per reviewer feedback that community rules belong in this repository. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Merge gha-pwn-request-fork-checkout into pull-request-target-code-checkout Absorbs the new rule's improvements into the existing rule rather than shipping a duplicate rule for the same vulnerability class: - Severity: WARNING → ERROR; subcategory: audit → vuln - Confidence/likelihood/impact: LOW/LOW/MEDIUM → HIGH/MEDIUM/HIGH - CWE-913 → CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) - OWASP A01 (Broken Access Control) → A08 (Software and Data Integrity Failures) - Drop actions/checkout requirement — any step with ref: is in scope - Replace broad github.event.pull_request metavariable-pattern with precise metavariable-regex targeting head.sha, head.ref, github.head_ref, refs/pull/ - Extend regex to also cover refs/pull/ merge refs (existing test coverage) - Absorb new test cases: github.head_ref, head.ref, sha||github.ref Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Restore original message text in pull-request-target-code-checkout Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Restore original pattern structure; improve ref matching with metavariable-regex Keeps the original actions/checkout + jobs/steps scaffolding. Replaces the broad generic-language metavariable-pattern on $EXPR with a metavariable-regex that precisely targets the dangerous fork-head refs: github.event.pull_request.head.sha, github.event.pull_request.head.ref, github.head_ref, refs/pull/ merge refs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix ruleid comment placement in TP-4/5/6 test cases Semgrep reports matches at the `uses:` line, not the `ref:` line inside `with:`. Move ruleid comments to precede `- uses:` to match TP-1/2/3 style. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Use metavariable-pattern + nested metavar-regex for precise ref matching Replaces the previous approaches with the correct technique: keep the original pattern structure (actions/checkout + jobs/steps scaffold), but improve the metavariable-pattern on $EXPR to use pattern-either with a nested metavariable-regex rather than a broad literal prefix match. The generic-mode patterns match as substrings against the captured $EXPR value (e.g. "${{ github.event.pull_request.head.sha }}"), so no ${{ }} wrapper is needed in the sub-patterns: - github.event.pull_request.head.$PR_REF + regex ^(sha|ref)$ catches the two specific dangerous head fields while excluding .number, .body, etc. - github.head_ref ... catches the shorthand form Removes the refs/pull/ test case — that pattern uses .number (not a head ref) and was never covered by the new rule being merged. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Use $...PR_REF ellipsis capture with nested metavariable-pattern $...PR_REF captures the full multi-token expression between ${{ and }}, avoiding the single-token limitation of $PR_REF. metavariable-regex does not support $...VAR, so a nested metavariable-pattern with pattern-either is used instead to match the three dangerous fork-head ref forms: - github.event.pull_request.head.sha - github.event.pull_request.head.ref - github.head_ref Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Simplify metavariable-pattern using pattern-inside ${{ ... }} Uses pattern-inside to scope matches to within ${{ }} expressions, then pattern-either to match the specific dangerous fork-head refs. No metavar capture needed — cleaner than the nested metavariable-pattern approach. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Retain original github.event.pull_request ... pattern alongside new refs Adds github.event.pull_request ... back to the pattern-either so the original broad coverage (including refs/pull/.../merge via .number) is preserved alongside the explicit head.sha, head.ref, and head_ref patterns. Restores the refs/pull/ spelling test case accordingly. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Remove patterns subsumed by github.event.pull_request ... head.sha and head.ref are already matched by the broader prefix pattern. Test cases for both remain (TP-1/2/5 cover head.sha, TP-6 covers head.ref). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Rewrite github-actions-mutable-action-tag to use proper YAML patterns Quality issues fixed: - pattern-regex (raw text scan) -> pattern-inside + pattern + metavariable-pattern, matching the approach used by third-party-action-not-pinned-to-commit-sha and pull-request-target-code-checkout; comment exclusion handled by YAML parser - Add pattern-inside: "{steps: ...}" scope (consistent with comparable rule) - CWE-1104 (Unmaintained Component) -> CWE-1357 + CWE-353 (Integrity Check); CWE-353 is exact for "not verifying integrity of what you execute" - Remove wrong reference to pwn-requests paper (unrelated topic) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Fix more
… rule (#3797) ServerSocket(0) used to detect available ports (→ localPort → close()) is a common benign pattern that does not transmit cleartext data. Add pattern-not-inside clauses scoped to functions returning Int. Closes SRC-12442 Made-with: Cursor
![semgrep-zcs-prod-semgrep[bot]](https://avatars.githubusercontent.com/u/29760937?s=60&v=4){kind=small}
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.ref }} |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
This GitHub Actions workflow file uses pull_request_target and checks out code from the incoming pull request. When using pull_request_target, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., npm build and make) or dependency installation scripts (e.g., python setup.py install). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pull-request-target-code-checkout.
You can view more details about this finding in the Semgrep AppSec Platform.
| - uses: actions/checkout@v4 | ||
| with: | ||
| ref: ${{ github.event.pull_request.head.sha || github.ref }} |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
This GitHub Actions workflow file uses pull_request_target and checks out code from the incoming pull request. When using pull_request_target, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., npm build and make) or dependency installation scripts (e.g., python setup.py install). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by pull-request-target-code-checkout.
You can view more details about this finding in the Semgrep AppSec Platform.
4 participants
No description provided.