poutine icon indicating copy to clipboard operation
poutine copied to clipboard
verified publisher icon boostsecurityio

Fill the gap between poutine and semgrep rules

Open fproulx-boostsecurity opened this issue 1 year ago • 3 comments

https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/allowed-unsecure-commands.yaml https://github.com/semgrep/semgrep-rules/blob/develop/yaml/github-actions/security/curl-eval.yaml https://github.com/contributor-assistant/github-action/blob/master/.github/workflows/notify-about-new-pr-via-slack.yml#L17 https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_run

fproulx-boostsecurity avatar May 02 '24 19:05 fproulx-boostsecurity

I have added workflow_run scenario here https://github.com/messypoutine/gravy-overflow/blob/main/.github/workflows/level1.yml#L34-L43

fproulx-boostsecurity avatar May 08 '24 20:05 fproulx-boostsecurity

Create curl | bash rule in experiemental repo

fproulx-boostsecurity avatar May 21 '24 16:05 fproulx-boostsecurity

Research epic on deno run , curl | X , go run x.com/cmd/some@main , npx etc

  • bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)

fproulx-boostsecurity avatar May 21 '24 16:05 fproulx-boostsecurity

Closed when we added insecure command

fproulx-boostsecurity avatar Jul 03 '24 17:07 fproulx-boostsecurity