-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ Add Script Injection to Dangerous-Workflow #1368
✨ Add Script Injection to Dangerous-Workflow #1368
Conversation
Signed-off-by: Asra Ali <[email protected]>
cc @haydentherapper just fyi! |
Integration tests success for |
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Would be good to have some more unit tests for untrusted workflows.
Signed-off-by: Asra Ali <[email protected]>
cfa69b3
to
964b322
Compare
added more tests! |
Integration tests success for |
Integration tests success for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is exciting!
Signed-off-by: Asra Ali <[email protected]>
Integration tests success for |
Integration tests success for |
Thanks @asraa ! |
Signed-off-by: Asra Ali [email protected]
What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Feature: Adds script injection to Dangerous-Workflow check
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
What is the current behavior? (You can also link to an open issue here)
part of New check: Check for dangerous code practices in github workflows #426
What is the new behavior (if this is a feature change)?
Adds a new check.
feedback would like feedback on the scoring for this check. Right now if any fails, you get a 0
Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)
Other information: