GitHub Action policies

Learn about the out-of-the-box finding policies for GitHub Actions.

Endor Labs provides the following out-of-the-box policies that help you assess the security posture of GitHub Actions used in your software delivery process.

See Finding Policies for details on how to enable, disable, or edit out-of-the-box policies.

Policies for RSPM

Policy Template Description Severity
Default workflow token permission should be read only Set the default GitHub Action workflow token permission to read-only. It is highly recommended to adhere to the principle of least privilege for generating workflow tokens and enforce the workflow authors to explicitly specify the permissions they require. High
Restrict GitHub Actions to selected repositories Selectively enabling GitHub Actions ensures better resource management and mitigates security risks. Raise findings for organizations where GitHub Actions are enabled for all repositories. Medium
Restrict runner groups to specific repositories It is recommended to limit the runner groups to specific repositories. Malicious users within an organization can create repositories with workflows designed to exploit vulnerabilities. If such repositories are allowed access to the organization’s hosted runners, they could trigger automated tasks and disrupt your network. High
Restrict the use of runner groups for public repositories It is recommended to allow only workflows from private or internal repositories to run on GitHub hosted runners. This prevents security risks posed by malicious actors who could exploit workflows from public repositories to gain unauthorized access to your private network. High
Workflows should not be allowed to create and approve pull requests Do not configure the GitHub Action workflows to create and approve pull requests. Code review is a crucial part of the software development process and must be performed by human reviewers. High

Policies for assessing configuration settings in workflow files

Policy Template Description Severity
Non-OIDC cloud authentication detected in GitHub workflow file The GitHub Action workflow file authenticates to the cloud without using OIDC. Do not use hardcoded secrets to authenticate with a cloud provider. OpenID Connect(OIDC) is recommended, which provides a short-lived access token directly from the cloud provider. High
Script injection detection in GitHub workflow file The workflow file contains a bash injection script with an expression that could include user input. As a best practice, assign the value of untrusted input expressions to an intermediate environment variable to mitigate code and command injection vulnerabilities in GitHub workflows. High
Secrets object detected in GitHub workflow file This GitHub Actions job has access to all repository and organization secrets. As a best practice, avoid using ${{ toJSON(secrets) }} or ${{ secrets[...] }} and consider using GitHub Actions environment variables accessing individual secrets to restrict the secrets available to the job. High
Untrusted code checkout detected in workflow file This repository workflow uses ‘pull_request_target’ with an explicit PR checkout and executes build commands like ’npm install’ or ’npm build’. This is risky because the build scripts and referenced packages are controlled by the PR author. High