Hi —
Automated security scan flagged a pull_request_target workflow in your repo that checks out the PR's head SHA / ref. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, and the workflow runs that code with access to your repository secrets.
I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line that does the checkout + a 2-line patch.
The fix is usually one of:
- Switch to
pull_request (no secret access)
- Keep
pull_request_target but check out the base SHA only, never the head
- Add a
permissions: block + restrict the secrets the workflow can read
References:
A note: this came from an automated scan I manually verified before reaching out. If we're wrong, please reply and we'll close out.
— Raffa
Lictor AI · https://lictorai.com
Hi —
Automated security scan flagged a
pull_request_targetworkflow in your repo that checks out the PR's head SHA / ref. This is the classic GitHub Actions RCE pattern: an external contributor can submit a PR that adds arbitrary code, and the workflow runs that code with access to your repository secrets.I'm not posting the specific file/line here for responsible-disclosure reasons.
Please contact me at Raffa@Lictor-AI.com and I'll send the exact workflow file + line that does the checkout + a 2-line patch.
The fix is usually one of:
pull_request(no secret access)pull_request_targetbut check out the base SHA only, never the headpermissions:block + restrict the secrets the workflow can readReferences:
A note: this came from an automated scan I manually verified before reaching out. If we're wrong, please reply and we'll close out.
— Raffa
Lictor AI · https://lictorai.com