Improve actions/ql/src/Security/CWE-829/UntrustedCheckoutX queries further iteration#21852
Open
knewbury01 wants to merge 7 commits into
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
knewbury01
changed the title
knewbury01
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
This PR iterates on the GitHub Actions CWE-829 “untrusted checkout” queries by refining user-facing metadata (query name / alert text), expanding helpfile guidance/resources, and updating accompanying change notes and query-test expectations.
Changes:
- Updated
actions/untrusted-checkout/highquery metadata (@name) and revised alert messages for the high/critical variants. - Refined wording and added least-privilege guidance + an additional resource link in all three help files (medium/high/critical).
- Added new change-note entries and updated query-test
.expectedoutputs to reflect the new alert messages.
Show a summary per file
| File | Description |
|---|---|
| actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected | Updated expected results to match the revised alert message. |
| actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected | Updated expected results to match the revised alert message. |
| actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md | Help text tweaks + added least-privilege recommendation and an extra reference link. |
| actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql | Updated query @name metadata and the alert message string. |
| actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md | Help text tweaks + added least-privilege recommendation and an extra reference link. |
| actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql | Updated the alert message string. |
| actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md | Help text tweaks + added least-privilege recommendation and an extra reference link. |
| actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md | New change note documenting query metadata changes. |
| actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md | New change note documenting helpfile wording/resource updates. |
| actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md | New change note documenting alert message changes. |
Copilot's findings
Comments suppressed due to low confidence (3)
actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md:168
- The resource bullet uses "least privileges"; this should be "least privilege" for correct terminology.
- Securing with least privileges: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md:168
- The resource bullet uses "least privileges"; this should be "least privilege" for correct terminology.
- Securing with least privileges: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md:168
- The resource bullet uses "least privileges"; this should be "least privilege" for correct terminology.
- Securing with least privileges: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
- Files reviewed: 10/10 changed files
- Comments generated: 7
| @@ -1,5 +1,5 @@ | |||
| /** | |||
| * @name Checkout of untrusted code in privileged context without privileged context use | |||
| * @name Checkout of untrusted code in privileged context | |||
|
|
||
| The artifacts downloaded from the first workflow should be considered untrusted and must be verified. | ||
|
|
||
| Additionally, ensure that least privileges are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions). |
|
|
||
| The artifacts downloaded from the first workflow should be considered untrusted and must be verified. | ||
|
|
||
| Additionally, ensure that least privileges are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions). |
|
|
||
| The artifacts downloaded from the first workflow should be considered untrusted and must be verified. | ||
|
|
||
| Additionally, ensure that least privileges are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions). |
| --- | ||
| category: queryMetadata | ||
| --- | ||
| * Reversed adjustment of the name of `actions/untrusted-checkout/high`, but change the word "trusted" to "privileged". No newline at end of file |
| --- | ||
| category: fix | ||
| --- | ||
| * Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check. No newline at end of file |
| --- | ||
| category: minorAnalysis | ||
| --- | ||
| * Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`. No newline at end of file |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
changes: