Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Actions] Unpinned actions in same organization or same enterprise incorrectly trigger actions/unpinned-tag #18316

Open
ebickle opened this issue Dec 18, 2024 · 2 comments

Comments

@ebickle
Copy link
Contributor

ebickle commented Dec 18, 2024

Description of the false positive

The CodeQL rule actions/unpinned-tag (Unpinned tag for a non-immutable Action in workflow) triggers for actions in the same organization or the same enterprise.

The description for the rule states "Unpinned 3rd party Action", which in our case triggered for an action in the same organization. Actions within the same owner, org, or enterprise are not 3rd party actions or untrusted.

Code samples or links to source code

The issue can be reproduced by:

  1. Create the repository sample-actions in the same org (or enterprise)
  2. Add an action to the sample-actions repository and tag the commit as `v1.
  3. In a different repository, add a workflow that references the new action:
    - uses: same-org/sample-actions@v1
    
@ebickle
Copy link
Contributor Author

ebickle commented Dec 19, 2024

As far as I know, CodeQL rules only look at the code - not the operating environment - so fixing this could be tricky. One idea I had is that the rule could be modified to only apply to actions in a 'public' repository. That way the rule would only need to look at public information on GitHub without any need to authenticate with an enterprise or organization.

@bewuethr
Copy link

It looks like the query has a hardcoded set of "trusted organizations":

private predicate isTrustedOrg(string repo) {
repo.matches(["actions", "github", "advanced-security"] + "/%")
}

If you can figure out how to parametrize your own organization, you could copy that query, modify it to allow your org, exclude the original, and use your modified copy instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants