-
Notifications
You must be signed in to change notification settings - Fork 1
Update Best Practices badge to dynamic JSON #4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
kpj2006
wants to merge
2
commits into
AOSSIE-Org:main
Choose a base branch
from
kpj2006:main
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+3
−3
Open
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🌐 Web query:
gitleaks-action v3 pull_request_target supported commit scanning checkout ref behavior💡 Result:
The gitleaks-action v3, like its predecessor v2, is primarily designed for the pull_request and push events [1][2]. There is no specialized support or specific behavior implemented for the pull_request_target event [3]. When using gitleaks-action within a GitHub Actions workflow, the action relies on the repository state established by the preceding actions/checkout step [1][2]. The behavior regarding commit scanning is as follows: 1. Checkout Requirement: To properly scan commits, you must use actions/checkout with fetch-depth: 0 [1][4]. This ensures the full git history is available for gitleaks to perform its analysis [1][2]. 2. Scan Scope: For pull_request events, gitleaks-action automatically calculates the commit range (typically using baseRef^..headRef) to scan only the changes introduced by the pull request [5]. 3. pull_request_target behavior: While you can technically configure a workflow to run on pull_request_target, the action does not have explicit logic to handle the nuances of that event type [3]. Users who previously requested support for pull_request_target determined that it was not necessary for typical secret scanning use cases [3]. If you choose to use pull_request_target, you must manually manage the checkout ref (e.g., using with: ref: ${{ github.event.pull_request.head.sha }} in actions/checkout) to ensure the runner is scanning the actual pull request code rather than the base branch, as the default behavior of pull_request_target is to check out the base branch of the pull request. Note that running security-sensitive actions on pull_request_target requires caution due to the elevated permissions associated with that event [3].
Citations:
pull_request_targetgitleaks/gitleaks-action#94Switching to
pull_request_targetbreaks the scan and exposes secrets to fork PRs.Two distinct problems with this trigger change, both confirmed by gitleaks-action v3 behavior:
Scan will miss PR contents. gitleaks-action v3 does not have specialized support for
pull_request_targetand relies on the checkout step to establish the scanning scope. Forpull_request, it automatically calculates the commit range (baseRef^..headRef). Forpull_request_target, it defaults to scanning whatever ref is checked out—which is the base branch whenactions/checkouthas no explicitrefparameter (as here). Without manually settingref: ${{ github.event.pull_request.head.sha }}, the PR head commits are never checked out locally, so gitleaks scans only base-branch code, defeating the purpose of PR secret scanning.Secrets now reachable from fork PRs.
pull_request_targetexposes repository secrets (GITLEAKS_LICENSE, write-scopedGITHUB_TOKENat lines 18–19) to runs triggered from forks. While scanning a file does not execute untrusted code, the elevated permissions and secret availability create an unnecessary attack surface.The gitleaks use case does not justify
pull_request_target. Unlikedanger.yml(which needs write permissions to post comments), gitleaks only needs to read the PR diff and requires no elevated permissions. Keeppull_requestinstead.🤖 Prompt for AI Agents
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, they are not exposed to contributors from forked PRs because the workflow only checks out the base repository code and does not execute untrusted code from the fork ig
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kpj2006, that point is partially correct—pull_request_targetdoes use the base branch's workflow file, not the fork's version, so a fork contributor cannot modify the workflow file itself to exfiltrate secrets. That prevents one specific attack vector.However, two issues still remain:
Secrets ARE in the runner environment. Even though untrusted code isn't checked out and executed,
GITLEAKS_LICENSEand the write-scopedGITHUB_TOKEN(whichpull_request_targetgrants, unlike the read-only token underpull_request) are injected into every run triggered by a fork PR. If any maintainer later adds an innocent-lookingref: ${{ github.event.pull_request.head.sha }}to the checkout step—a very common pattern—the workflow would immediately execute fork code with those elevated credentials. Usingpull_requesteliminates this latent risk entirely, since it never grants secrets or write permissions to fork-triggered runs.The scan is broken regardless. This is the more direct, undisputed problem. Without an explicit
ref:override in theactions/checkoutstep,pull_request_targetchecks out the base branch, not the PR head commits. gitleaks-action v3 will scan only base-branch code, so any secrets introduced in a PR go completely undetected. The sole purpose of having gitleaks onpull_requestis to catch secrets in incoming changes—this configuration defeats that entirely.Reverting to
pull_request(as in the original file) fixes both issues cleanly, since that event: (a) always scans the PR head commits, and (b) runs with a read-only, secretless token for fork PRs.