Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
GitHub Actions
Go
HTML
Java
JavaScript
JSON
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Shell
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML
YAML

GitHub Actions static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GITHUB ACTIONS code

Workflows should not rely on unverified GitHub context values to trust events

consistency - conventional

security

Vulnerability

Why is this an issue?

How can I fix it?

More Info

Using github.actor or equivalent properties to check if the actor is a trusted principal on events like pull_request_target could be a security issue, because they do not always refer to the actual creator of the commit or the pull request.

The value represents the entity who triggered the workflow event, which may differ from the actual author of the commit or pull request. If a threat actor could force a trusted actor (such as a bot) into making a change that triggers the workflow, they can bypass the check.

What is the potential impact?

Unauthorized access

An attacker could trick the action to run sensitive jobs/commands with special permissions or secrets. For instance, an auto-merge workflow.

Supply Chain Compromise

If the sensitive code performs a merge or releases an artifact, an attacker can inject malicious code or publish malicious packages, potentially compromising the entire supply chain.

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted