Dangerous GitHub Actions trigger

Metadata

ID: github-actions/dangerous-trigger

Language: YAML

Severity: Warning

Category: Security

Description

Workflows triggered by the pull_request_target trigger can read secrets and edit code in the repository that the PR is targeting. This is a dangerous trigger that must be used with caution. For security reasons, GitHub runs these workflows using the code from the base branch, rather than the code from the PR.

If you use this trigger you must not checkout the code of the PR, otherwise anyone can simply write malicious code and get it to run in a context that has access to your secrets, in addition to write access to the repository.

This type of attack is sometimes referred to as “pwn request”.

Note that if you use the “workflow_call” trigger, your workflow is callable by other workflows, so possibly by a workflow using the pull_request_target trigger.

Learn More

Non-Compliant Code Examples

name: PR

on:
  pull_request_target:
    paths-ignore:
    - datadog_checks_base/datadog_checks/**
    - datadog_checks_dev/datadog_checks/dev/*.py

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
  cancel-in-progress: true

jobs:
  test:
    uses: ./.github/workflows/pr-test.yml
    with:
      repo: core
    secrets: inherit

Compliant Code Examples

name: PR

on:
  pull_request:
    paths-ignore:
    - datadog_checks_base/datadog_checks/**
    - datadog_checks_dev/datadog_checks/dev/*.py

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.head_ref }}
  cancel-in-progress: true

jobs:
  test:
    uses: ./.github/workflows/pr-test.yml
    with:
      repo: core
    secrets: inherit
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis