feat(untrusted_checkout_exec): account for actions/checkout allow-unsafe-pr-checkout#442
Draft
fproulx-boostsecurity wants to merge 1 commit into
Draft
feat(untrusted_checkout_exec): account for actions/checkout allow-unsafe-pr-checkout#442fproulx-boostsecurity wants to merge 1 commit into
fproulx-boostsecurity wants to merge 1 commit into
Conversation
…afe-pr-checkout GitHub's actions/checkout now refuses to fetch untrusted fork PR code by default (v7.0.0, backported to v4/v5/v6 on 2026-07-16) unless allow-unsafe-pr-checkout: true is set. Suppress the finding when the checkout is on a fixed version with the safe default in effect, scoped to the events the guard actually covers (pull_request_target and PR-triggered workflow_run). - models: capture `with: allow-unsafe-pr-checkout` (string; absent/true/false/expr) - opa/rego/external/checkout_unsafe.rego: frozen set of pre-fix checkout SHAs (default-allow bad-set) + backport_floor_date; offline, works with analyze_local - utils: resolver (SHA set membership; tags via major/date gate) + guard helpers; new raw-`git` untrusted-checkout detection branch (git fetch pull/N/head, git checkout of a head ref) — never suppressed, like gh pr checkout - rule: event-aware suppression; same-step scan for gh/git run-block checkouts - scanner: inject scan_time into findings eval (POUTINE_SCAN_TIME overridable) - regen tool (build-tag checkout_unsafe_shas) + `make update-checkout-shas` - tests: fire/suppress matrix incl. git vectors and before/after backport; resolver eval matrix; deterministic scan clock pinned for tests/snapshots Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
GitHub changed
actions/checkoutdefaults: from v7.0.0 (9c091bb…), and backported to v4/v5/v6 on 2026-07-16, checkout refuses to fetch untrusted fork PR code unlessallow-unsafe-pr-checkout: trueis set. When that protection is in effect, the untrusted code never lands, sountrusted_checkout_execwould become a false positive.This makes the rule aware of the change — suppressing the finding only where the guard actually applies, while keeping coverage everywhere it doesn't.
What it does
Suppresses the finding for an
actions/checkout@<ref>step only when all hold:v7+ /main/ a SHA not in the frozen pre-fix set /v4–v6once the backport date passes;allow-unsafe-pr-checkoutis not enabled (a${{ … }}expression counts as possibly-true → not suppressed);pull_request_target, orworkflow_runwhose parent ispull_request/pull_request_target.Still fires for: old/SHA-pinned vulnerable versions,
allow-unsafe-pr-checkout: true, uncovered events (issues/issue_comment/workflow_call), and untrusted checkout viagh pr checkoutor rawgitinrun:blocks (explicitly out of scope of GitHub's change — and newly detected here).Approach
with: allow-unsafe-pr-checkout(string, preserves absent/true/false/expr).opa/rego/external/checkout_unsafe.rego: frozen, embedded set of pre-fix checkout commit SHAs (default-allow bad-set) +backport_floor_date. Fully offline (analyze_local).gituntrusted-checkout detection branch (never suppressed).gh/gitrun-block checkouts (also closes a pre-existing same-step gap forgh pr checkout).scan_timeinto the findings eval (POUTINE_SCAN_TIMEoverridable for reproducible / pinned scans).checkout_unsafe_shas) +make update-checkout-shas, with anti-gap assertions; idempotent against the committed data.Tests
TestUntrustedCheckoutGuard— full fire/suppress matrix incl. git vectors and before/after the backport date.TestCheckoutGuardResolution— 19-case resolver matrix.messypoutine: 0 deltas attributable to this change (no findings suppressed, no new git false positives).Rollout note⚠️
The bad-set is complete only after the v4/v5/v6 backports land. Before merging post-2026-07-16: add the v4/v5/v6 backport fix-commit SHAs to
fixCommitsin the regen tool and runmake update-checkout-shas. Until then the date-gate correctly keeps v4/v5/v6 firing. Draft pending that data freeze.🤖 Generated with Claude Code