Skip to content

Merge POC code into main#2

Merged
jkorany merged 7 commits intomainfrom
poc
Dec 19, 2025
Merged

Merge POC code into main#2
jkorany merged 7 commits intomainfrom
poc

Conversation

@jkorany
Copy link
Collaborator

@jkorany jkorany commented Dec 19, 2025
edited
Loading

Aikido findings page: https://app.aikido.dev/repositories/1319440

Note: Aikido is set to scan the poc branch, this will get updated to main post-merge

@jkorany jkorany marked this pull request as ready for review December 19, 2025 20:27
@dryrunsecurity
Copy link

dryrunsecurity bot commented Dec 19, 2025

DryRun Security

This pull request contains a GitHub Actions workflow issue where actions/checkout is pinned to a mutable tag (actions/checkout@v4) instead of a specific commit SHA, the job runs repository code on pull_request which can be risky for forked contributions, and the workflow lacks an explicit minimal permissions section—recommend pinning checkout to a SHA, avoid running untrusted code or restrict privileges, and set explicit least-privilege permissions.

Code Policy: GitHub Action Policy
Policy GitHub Action Policy
Result Identified GitHub Actions Risks - Line 20 (.github/workflows/main.yml): Using actions/checkout@v4 pinned to a mutable tag instead of a specific commit SHA. This can allow supply-chain attacks if the tag is moved or compromised. Recommendation: Pin to a specific commit SHA for actions/checkout. - Line 27 (.github/workflows/main.yml): The workflow runs repository code via bundle exec rake on pull_request events. While no secrets are used and pull_request is safer than pull_request_target, executing code from forks is inherently risky. Recommendation: Maintain least privilege and avoid exposing secrets to this job; consider setting explicit minimal permissions. - General (workflow lacks explicit permissions): No explicit permissions: section is set. Default GITHUB_TOKEN permissions may be broader than necessary (especially on push). Recommendation: Set explicit minimal permissions (e.g., permissions: contents: read) to limit potential abuse. No usage of pull_request_target, no secrets exposure in steps, and ruby/setup-ruby is correctly pinned to a commit SHA, which are positive findings.

ruby_lzma_gem/.github/workflows/main.yml

Lines 20 to 23 in bdf4c3c

- uses: actions/checkout@v4
- name: Set up Ruby
uses: ruby/setup-ruby@ed55d55e820a01da7d3e4863a8c51a61d73c3228
with:

All finding details can be found in the DryRun Security Dashboard.

@krippee
Copy link
Contributor

krippee commented Dec 19, 2025

This pull request contains a GitHub Actions workflow issue where actions/checkout is pinned to a mutable tag (actions/checkout@v4) instead of a specific commit SHA, the job runs repository code on pull_request which can be risky for forked contributions, and the workflow lacks an explicit minimal permissions section—recommend pinning checkout to a SHA, avoid running untrusted code or restrict privileges, and set explicit least-privilege permissions.

I feel like this is a valid concern, given this will be a public repo. It might be worth fixing before we switch it over.

@krippee krippee mentioned this pull request Dec 19, 2025
Closed
@krippee krippee requested a review from a team December 19, 2025 20:51
@jkorany jkorany merged commit 7a50bcb into main Dec 19, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@krippee krippee krippee approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkorany @krippee

Comments