-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSecretsInherit.ql
More file actions
26 lines (24 loc) · 914 Bytes
/
SecretsInherit.ql
File metadata and controls
26 lines (24 loc) · 914 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/**
* @name Secrets inherited by reusable workflow
* @description Using `secrets: inherit` passes every secret the calling workflow can access
* to a reusable workflow, which is more than most callees need.
* @kind problem
* @precision medium
* @security-severity 3.0
* @problem.severity recommendation
* @id actions/secrets-inherit
* @tags actions
* security
* experimental
* external/cwe/cwe-200
*/
import actions
private import codeql.actions.ast.internal.Yaml
private import codeql.actions.ast.internal.Ast
from ExternalJob job, YamlScalar secretsNode
where
secretsNode = job.(ExternalJobImpl).getNode().lookup("secrets") and
secretsNode.getValue() = "inherit"
select secretsNode,
"Every secret accessible to the calling workflow is forwarded to $@. Consider passing only the secrets it actually needs.",
job.(Uses).getCalleeNode(), job.(Uses).getCallee()