Security Advisories

GitHub Security Advisories Verification Results #

This document summarizes sisakulint’s detection capability against all 38 GitHub Security Advisories for the GitHub Actions ecosystem.

Summary #

MetricValue
Total Advisories38
Detected (Direct)28
Detected (Category Match)31
Not Detectable7
Detection Rate81.6%

Detection Categories #

RuleDetections
code-injection-critical21
known-vulnerable-actions16
dangerous-triggers-critical11
untrusted-checkout10
code-injection-medium5
argument-injection-critical2
deprecated-commands2
artifact-poisoning-critical1
artifact-poisoning-medium1
cache-poisoning-poisonable-step1
argument-injection-medium1

Detection Results #

Code Injection Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-pwf7-47c3-mfhxj178/prek-actionCriticalYesKnownVulnerableActionsRule, UntrustedCheckoutRule
GHSA-65rg-554r-9j5xlycheeverse/lychee-actionModerateYesKnownVulnerableActionsRule
GHSA-2487-9f55-2vg9OZI-Project/publishModerateYesCodeInjectionMediumRule
GHSA-7x29-qqmq-v6qcultralytics/actionsHighYesCodeInjectionCriticalRule, ArgumentInjectionCriticalRule
GHSA-4xqx-pqpj-9fqwatlassian/gajira-createCriticalYesCodeInjectionCriticalRule
GHSA-rg3q-prf8-qxmpembano1/wipHighYesCodeInjectionMediumRule, ArgumentInjectionMediumRule

Command Injection Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-gq52-6phf-x2r6tj-actions/branch-namesCriticalYesCodeInjectionCriticalRule
GHSA-8v8w-v8xg-79rftj-actions/branch-namesCriticalYesCodeInjectionCriticalRule
GHSA-ghm2-rq8q-wrhctj-actions/verify-changed-filesHighYesUntrustedCheckoutRule
GHSA-mcph-m25j-8j63tj-actions/changed-filesHighYesDangerousTriggersRule
GHSA-6q4m-7476-932wrlespinasse/github-slug-actionHighYesCodeInjectionCriticalRule
GHSA-f9qj-7gh3-mhj4kartverket/github-workflowsHighYesCodeInjectionCriticalRule, UntrustedCheckoutRule

Secret/Token Exposure Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-phf6-hm3h-x8qpbroadinstitute/cromwellCriticalYesCodeInjectionCriticalRule
GHSA-c5qx-p38x-qf5wRageAgainstThePixel/setup-steamcmdHighYesKnownVulnerableActionsRule
GHSA-mj96-mh85-r574buildalon/setup-steamcmdHighYesKnownVulnerableActionsRule
GHSA-26wh-cc3r-w6pjcanonical/get-workflow-version-actionHighYesKnownVulnerableActionsRule
GHSA-vqf5-2xx6-9wfmgithub/codeql-actionHighYesKnownVulnerableActionsRule
GHSA-4mgv-m5cm-f9h7hashicorp/vault-actionHighYesKnownVulnerableActionsRule
GHSA-g86g-chm8-7r2pcheck-spelling/check-spellingCriticalYesKnownVulnerableActionsRule, DangerousTriggersRule

Argument/Expression Injection Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-5xq9-5g24-4g6fSonarSource/sonarqube-scan-actionHighYesDangerousTriggersRule, UntrustedCheckoutRule
GHSA-f79p-9c5r-xg88SonarSource/sonarqube-scan-actionHighYesDangerousTriggersRule, UntrustedCheckoutRule
GHSA-vxmw-7h4f-hqxhpypa/gh-action-pypi-publishLowYesDangerousTriggersRule, UntrustedCheckoutRule
GHSA-xj87-mqvh-88w2fish-shop/syntax-checkModerateYesDangerousTriggersRule, UntrustedCheckoutRule
GHSA-hw6r-g8gj-2987pytorch/pytorchModerateYesCodeInjectionCriticalRule, ArgumentInjectionCriticalRule
GHSA-7f32-hm4h-w77qrlespinasse/github-slug-actionModerateYesDeprecatedCommandsRule, CodeInjectionCriticalRule

Supply Chain / Artifact Poisoning Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-qmg3-hpqr-gqvcreviewdog/action-setupHighPartialCommitShaRule (tag usage warning)
GHSA-mrrh-fwg8-r2c3tj-actions/changed-filesHighYesKnownVulnerableActionsRule
GHSA-5xr6-xhww-33m4dawidd6/action-download-artifactHighYesArtifactPoisoningMediumRule, KnownVulnerableActionsRule
GHSA-cxww-7g56-2vh6actions/download-artifactHighYesArtifactPoisoningCriticalRule, KnownVulnerableActionsRule
GHSA-h3qr-39j9-4r5vgradle/gradle-build-actionHighYesCachePoisoningRule, UntrustedCheckoutRule
GHSA-x6gv-2rvh-qmp6BoldestDungeon/steam-workshop-deployCriticalYesKnownVulnerableActionsRule

Miscellaneous Vulnerabilities #

GHSA IDActionSeverityDetectedDetection Rule
GHSA-mxr3-8whj-j74rstep-security/harden-runnerModeratePartialKnownVulnerableActionsRule
GHSA-m32f-fjw2-37v3bullfrogsec/bullfrogModerateNoNot detectable (runtime)
GHSA-g85v-wf27-67xcstep-security/harden-runnerLowYesKnownVulnerableActionsRule
GHSA-p756-rfxh-x63hAzure/setup-kubectlLowNoNot detectable (action internal)
GHSA-2c6m-6gqh-6qg3actions/runnerHighPartialDangerousTriggersRule
GHSA-634p-93h9-92vhsome-natalie/ghas-to-csvModerateNoNot detectable (output format)
GHSA-99jg-r3f4-rpxjafichet/openexr-viewerCriticalNoNot detectable (not workflow)

Non-Detection Categories #

ReasonCountExamples
Action internal implementation2GHSA-p756-rfxh-x63h (file permissions), GHSA-634p-93h9-92vh (CSV output)
Runtime behavior2GHSA-m32f-fjw2-37v3 (DNS filtering)
Not workflow related1GHSA-99jg-r3f4-rpxj (memory overflow in binary)
Time-bomb attacks (detected via KnownVulnerableActionsRule)2GHSA-qmg3-hpqr-gqvc, GHSA-mrrh-fwg8-r2c3

Key Findings #

  1. High Detection Rate: sisakulint successfully detects 81.6% of all GitHub Actions advisories.

  2. KnownVulnerableActionsRule Effectiveness: 16 advisories are detected via the KnownVulnerableActionsRule, which checks against a database of known vulnerable action versions.

  3. Code Injection Detection: 26 code injection instances are detected across 21 critical and 5 medium severity findings.

  4. Dangerous Triggers: 11 workflows with dangerous triggers (pull_request_target, workflow_run, issue_comment) are flagged.

  5. Supply Chain Protection: Both artifact poisoning and cache poisoning patterns are detected.

Recommendations for sisakulint Improvement #

  1. Container Environment Variables: Consider adding detection for untrusted input in container.env context (GHSA-2c6m-6gqh-6qg3).

  2. CSV Injection: Consider adding output format validation rules for security-sensitive data exports.

  3. Regular Database Updates: Keep the KnownVulnerableActionsRule database updated with new advisories.

Running Verification #

# Build sisakulint
go build ./cmd/sisakulint

# Run on all vulnerable patterns
sisakulint script/actions/advisory/*-vulnerable.yaml

# Run on safe patterns (should have minimal security warnings)
sisakulint script/actions/advisory/*-safe.yaml

References #