GitHub Actions Should Be Restricted To Selected Repositories
policy name: all_repositories_can_run_github_actions
severity: MEDIUM
Description
By not limiting GitHub Actions to specific repositories, every user in the
organization is able to run arbitrary workflows. This could enable malicious
activity such as accessing organization secrets, crypto-mining, etc.
Threat Example(s)
This misconfiguration could lead to the following attack:
- Prerequisite: the attacker is part of your GitHub organization
- Attacker creates new repository in the organization
- Attacker creates a workflow file that reads all organization secrets and
exfiltrate them
- Attacker trigger the workflow
- Attacker receives all organization secrets and uses them maliciously
- Make sure you have admin permissions
- Go to the org’s settings page
- Enter the “Actions - General” tab
- Under “Policies”
- Change “All repositories” to “Selected repositories” and select repositories
that should be able to run actions
- Click “Save”