rules: - id: third-party-action-not-pinned-to-commit-sha patterns: - pattern-inside: "{steps: ...}" - pattern: | uses: "$USES" - metavariable-pattern: metavariable: $USES language: generic patterns: - pattern-not-regex: ^[.]/ - pattern-not-regex: ^actions/ - pattern-not-regex: ^github/ - pattern-not-regex: ^gradio-app/gradio - pattern-not-regex: ^gradio-app/github - pattern-not-regex: "@[0-9a-f]{40}$" - pattern-not-regex: ^docker://.*@sha256:[0-9a-f]{64}$ - pattern-not-regex: ^docker://docker$ message: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. languages: - yaml severity: WARNING metadata: cwe: - "CWE-1357: Reliance on Insufficiently Trustworthy Component" - "CWE-353: Missing Support for Integrity Check" owasp: A06:2021 - Vulnerable and Outdated Components references: - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions category: security technology: - github-actions subcategory: - vuln likelihood: LOW impact: LOW confidence: HIGH license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - Cryptographic Issues - Other - id: insecure-file-permissions languages: - python severity: ERROR message: These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else. patterns: - pattern-inside: os.$METHOD(...) - pattern-either: - patterns: - pattern: os.$METHOD($FILE, $BITS, ...) - metavariable-comparison: comparison: $BITS >= 0o650 and $BITS < 0o100000 - patterns: - pattern: os.$METHOD($FILE, $BITS) - metavariable-comparison: comparison: $BITS >= 0o100650 - patterns: - pattern: os.$METHOD($FILE, $BITS, ...) - metavariable-pattern: metavariable: $BITS patterns: - pattern-either: - pattern: <... stat.S_IWGRP ...> - pattern: <... stat.S_IXGRP ...> - pattern: <... stat.S_IWOTH ...> - pattern: <... stat.S_IXOTH ...> - pattern: <... stat.S_IRWXO ...> - pattern: <... stat.S_IRWXG ...> - patterns: - pattern: os.$METHOD($FILE, $EXPR | $MOD, ...) - metavariable-comparison: comparison: $MOD == 0o111 - metavariable-pattern: metavariable: $METHOD patterns: - pattern-either: - pattern: chmod - pattern: lchmod - pattern: fchmod metadata: category: security owasp: - A01:2021 - Broken Access Control cwe: - "CWE-276: Incorrect Default Permissions" technology: - python references: - https://owasp.org/Top10/A01_2021-Broken_Access_Control cwe2022-top25: true cwe2021-top25: true subcategory: - vuln likelihood: LOW impact: MEDIUM confidence: MEDIUM license: Commons Clause License Condition v1.0[LGPL-2.1-only] vulnerability_class: - Improper Authorization