From 32f191cd9d0f48d61f605933c5a6de9dca5babf9 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Mon, 14 Apr 2025 13:21:59 -0700 Subject: [PATCH 1/6] Docs: Remove public preview notice for Actions support Ready for GA. --- docs/codeql/reusables/supported-versions-compilers.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/codeql/reusables/supported-versions-compilers.rst b/docs/codeql/reusables/supported-versions-compilers.rst index 7d5a9bdb34ab..bbefaf79ccef 100644 --- a/docs/codeql/reusables/supported-versions-compilers.rst +++ b/docs/codeql/reusables/supported-versions-compilers.rst @@ -16,7 +16,7 @@ .NET Core up to 3.1 .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``" - GitHub Actions [12]_,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``" + GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``" Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go`` Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK), @@ -41,4 +41,3 @@ .. [9] Requires glibc 2.17. .. [10] Support for the analysis of Swift requires macOS. .. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default. - .. [12] Support for GitHub Actions is in public preview. From eeb938a76de013fcacda6ccf0708f72e1c911125 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Mon, 14 Apr 2025 13:25:54 -0700 Subject: [PATCH 2/6] Docs: Minor fixes for Actions query help --- actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md | 2 +- actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index cc35402b804d..5d2c61150972 100644 --- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References diff --git a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md index 6c681856a7b3..c33b89fdcec6 100644 --- a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md +++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md @@ -2,11 +2,11 @@ ## Description -Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered. +Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered. ## Recommendations -Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner. +Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner. ## Examples From 93fbb9fe6155de2d0ca44448ae930f3b3597b5d5 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Mon, 14 Apr 2025 14:39:31 -0700 Subject: [PATCH 3/6] Actions: Update description of missing permissions query --- actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql index aedf65bc564e..a8bd8a5f93dc 100644 --- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -1,6 +1,6 @@ /** * @name Workflow does not contain permissions - * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. + * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN. * @kind problem * @security-severity 5.0 * @problem.severity warning From 6eb060f16a2a16075ffa50bc28d16b8da553a394 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Mon, 14 Apr 2025 14:41:08 -0700 Subject: [PATCH 4/6] Actions: Add security-severity to excessive secrets exposure query Same value as missing actions permissions, both providing warnings to follow the principle of least privilege within a workflow. --- actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql index a83685207bc2..1a01033c5676 100644 --- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql +++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -3,6 +3,7 @@ * @description All organization and repository secrets are passed to the workflow runner. * @kind problem * @precision high + * @security-severity 5.0 * @problem.severity warning * @id actions/excessive-secrets-exposure * @tags actions From f9103f8ddc3b09a80ec8a5dbffaee3f54f38e493 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Mon, 14 Apr 2025 14:48:33 -0700 Subject: [PATCH 5/6] Actions: Add change note for missing severity --- ...025-04-14-excessive-secrets-exposure-security-severity.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md diff --git a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md new file mode 100644 index 000000000000..9beaabecbe65 --- /dev/null +++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md @@ -0,0 +1,5 @@ +--- +category: fix +--- +* Assigned a `security-severity` to the query `actions + excessive-secrets-exposure`. \ No newline at end of file From 495276856987c7b4155ee5146242487db27163a5 Mon Sep 17 00:00:00 2001 From: Aditya Sharad Date: Tue, 15 Apr 2025 10:21:54 -0700 Subject: [PATCH 6/6] Actions: Fix change note newline --- .../2025-04-14-excessive-secrets-exposure-security-severity.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md index 9beaabecbe65..c59e1eb9db33 100644 --- a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md +++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md @@ -1,5 +1,4 @@ --- category: fix --- -* Assigned a `security-severity` to the query `actions - excessive-secrets-exposure`. \ No newline at end of file +* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`. \ No newline at end of file