policy name: runner_group_can_be_used_by_public_repositories
severity: HIGH
Workflows from public repositories are allowed to run on GitHub Hosted Runners. When using GitHub Hosted Runners, it is recommended to allow only workflows from private repositories to run on these runners to avoid being vulnerable to malicious actors using workflows from public repositories to break into your private network. In case of inadequate security measures implemented on the hosted runner, malicious actors could fork your repository and then create a pwn-request (a pull-request from a forked repository to the base repository with malicious intentions) that create a workflow that exploits these vulnerabilities and move laterally inside your network.
Hosted runners are usually part of the organization’s private network and can be easily misconfigured. If the hosted runner is insecurely configured, any GitHub user could: