pull_request_target with PR head checkout¶
Rule ID |
|
|---|---|
Category |
security |
Severity |
critical |
Workflow triggers on pull_request_target and checks out the PR head ref. This grants untrusted code access to repository secrets.
Detection¶
static_analysis — Checks field presence or value in the workflow YAML.
Examples¶
Non-compliant:
on:
pull_request_target:
jobs:
ci:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
- run: npm test
Compliant:
on:
pull_request:
jobs:
ci:
steps:
- uses: actions/checkout@v4
- run: npm test
Fix: Use the pull_request trigger instead of pull_request_target for CI checks. If pull_request_target is required, never check out the PR head ref in the same job as privileged operations.