Improper Control of Dynamically-Managed Code Resources
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-913: Improper Control of Dynamically-Managed Code Resources |
| OWASP | A01:2017 - Injection |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description#
This GitHub Actions workflow uses the workflow_run trigger and checks out code from an incoming pull request, which allows untrusted PR code to run with access to repository secrets. This setup can let attackers execute their own code in your workflow environment.
Impact#
If exploited, an attacker could steal sensitive repository secrets (such as API keys or deployment credentials) by submitting a malicious pull request, potentially leading to unauthorized access, code or data leaks, and compromise of your CI/CD pipeline or production systems.