Rules

sisakulint Rules #

sisakulint provides comprehensive security rules for GitHub Actions workflows. Rules are categorized by the security risks they address.

Security Rules Overview #

Code Injection / Poisoned Pipeline Execution (CICD-SEC-04) #

RuleSeverityDescription
code-injection-criticalCriticalDetects untrusted input in privileged workflow triggers
code-injection-mediumMediumDetects untrusted input in normal workflow triggers
envvar-injection-criticalCriticalDetects untrusted input written to $GITHUB_ENV in privileged triggers
envvar-injection-mediumMediumDetects untrusted input written to $GITHUB_ENV in normal triggers
envpath-injection-criticalCriticalDetects untrusted input written to $GITHUB_PATH in privileged triggers
envpath-injection-mediumMediumDetects untrusted input written to $GITHUB_PATH in normal triggers
untrusted-checkoutCriticalDetects checkout of untrusted PR code in privileged contexts
untrusted-checkout-toctou-criticalCriticalDetects TOCTOU vulnerabilities with labeled event type and mutable refs
untrusted-checkout-toctou-highHighDetects TOCTOU vulnerabilities with deployment environment and mutable refs
improper-access-controlCriticalDetects label-based approval bypass vulnerabilities
bot-conditionsHighDetects spoofable bot detection conditions
unsound-containsMediumDetects bypassable contains() function usage

Artifact and Cache Poisoning (CICD-SEC-09) #

RuleSeverityDescription
artifact-poisoning-criticalCriticalDetects artifact poisoning in privileged workflows
artifact-poisoning-mediumMediumDetects artifact poisoning in normal workflows
cache-poisoningHighDetects cache poisoning vulnerabilities
cache-poisoning-poisonable-stepHighDetects poisonable steps after unsafe checkout
artipackedHighDetects credential leakage via persisted checkout credentials

Identity and Access Management (CICD-SEC-02) #

RuleSeverityDescription
permissionsHighValidates GITHUB_TOKEN permission scopes
secret-exposureHighDetects excessive secrets exposure patterns
unmasked-secret-exposureHighDetects unmasked secret exposure from fromJson()

Credential Hygiene (CICD-SEC-06) #

RuleSeverityDescription
credentialsHighDetects hardcoded credentials using Rego

Third Party Services (CICD-SEC-08) #

RuleSeverityDescription
action-listMediumEnforces action allowlist/blocklist policies
commit-shaHighValidates commit SHA pinning in actions
known-vulnerable-actionsCriticalDetects actions with known security vulnerabilities
archived-usesMediumDetects usage of archived actions
impostor-commitCriticalDetects impostor commits from fork network
ref-confusionHighDetects ref confusion attacks
unpinned-imagesMediumDetects container images not pinned by SHA256

Workflow Validation #

RuleSeverityDescription
idLowValidates job and step IDs
job-needsLowValidates job dependencies
workflow-callMediumValidates reusable workflow calls
timeout-minutesMediumEnsures timeout-minutes is set

Expression and Syntax Validation #

RuleSeverityDescription
expressionMediumValidates GitHub Actions expression syntax
conditionalMediumValidates conditional expressions
environment-variableLowValidates environment variable names
deprecated-commandsHighDetects deprecated workflow commands

Runner Security #

RuleSeverityDescription
self-hosted-runnersHighDetects self-hosted runner usage in public repos

Obfuscation Detection #

RuleSeverityDescription
obfuscationHighDetects obfuscated workflow patterns

Auto-Fix Support #

The following rules support automatic fixing with sisakulint -fix on:

  • timeout-minutes - Adds default timeout-minutes: 5
  • commit-sha - Converts action tags to commit SHAs
  • credentials - Removes hardcoded passwords
  • code-injection-critical/medium - Moves untrusted expressions to environment variables
  • envvar-injection-critical/medium - Sanitizes untrusted input before writing to $GITHUB_ENV
  • envpath-injection-critical/medium - Validates paths with realpath before writing to $GITHUB_PATH
  • untrusted-checkout - Adds explicit ref to checkout in privileged contexts
  • untrusted-checkout-toctou-critical/high - Fixes TOCTOU vulnerabilities
  • artifact-poisoning-critical/medium - Adds validation steps for artifact downloads
  • improper-access-control - Replaces mutable refs with immutable SHAs and changes event types
  • conditional - Removes unnecessary ${{ }} wrappers
  • secret-exposure - Converts bracket notation to dot notation
  • unmasked-secret-exposure - Adds ::add-mask:: command for derived secrets
  • bot-conditions - Replaces spoofable bot conditions with safe alternatives
  • artipacked - Adds persist-credentials: false to checkout steps
  • unsound-contains - Converts string literal to fromJSON() array format
  • impostor-commit - Pins action to commit SHA
  • ref-confusion - Pins action to commit SHA when ref confusion is detected
  • obfuscation - Normalizes obfuscated paths and shell commands
  • known-vulnerable-actions - Updates vulnerable actions to patched versions
  • cache-poisoning - Removes unsafe ref from checkout step

OWASP CI/CD Top 10 Mapping #

OWASP RiskDescriptionsisakulint Rules
CICD-SEC-01Insufficient Flow Control Mechanismsimproper-access-control, bot-conditions
CICD-SEC-02Inadequate Identity and Access Managementpermissions, secret-exposure, unmasked-secret-exposure
CICD-SEC-03Dependency Chain Abuseknown-vulnerable-actions, archived-uses, impostor-commit, ref-confusion
CICD-SEC-04Poisoned Pipeline Execution (PPE)code-injection-, envvar-injection-, envpath-injection-, untrusted-checkout-, unsound-contains
CICD-SEC-05Insufficient PBAC (Pipeline-Based Access Controls)self-hosted-runners
CICD-SEC-06Insufficient Credential Hygienecredentials
CICD-SEC-07Insecure System Configurationtimeout-minutes, deprecated-commands
CICD-SEC-08Ungoverned Usage of 3rd Party Servicesaction-list, commit-sha, unpinned-images
CICD-SEC-09Improper Artifact Integrity Validationartifact-poisoning-, cache-poisoning-, artipacked
CICD-SEC-10Insufficient Logging and Visibilityobfuscation