feat(CheckoutWithStaticCredentials): flag actions/checkout use with static credentials#7
Merged
Merged
Conversation
Contributor
Author
|
/task SEC-385 does this work? |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements a new security rule to detect the use of static credentials with actions/checkout. The rule identifies potentially risky patterns where static GitHub Personal Access Tokens (PATs) or SSH keys are used for repository checkout operations.
Key changes:
- Adds detection for static credentials in multiple contexts (secrets, variables, environment variables, hardcoded values)
- Implements comprehensive test coverage for all credential detection scenarios
- Provides detailed documentation explaining security risks and remediation strategies
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
lib/claws/rule/checkout_with_static_credentials.rb |
Core rule implementation with regex patterns to detect static credentials in checkout actions |
spec/claws/rule/checkout_with_static_credentials_spec.rb |
Comprehensive test suite covering all credential detection scenarios |
lib/claws/base_rule.rb |
Adds get_key helper function for accessing hash values safely |
lib/claws/rule.rb |
Registers the new rule in the module system |
README.md |
Documents the rule's purpose, security rationale, and remediation strategies |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Contributor
Author
|
/no-platform |
actions/checkout used with static credentialsactions/checkout use with static credentials
actions/checkout use with static credentialsactions/checkout use with static credentials
rdadlani
approved these changes
Aug 26, 2025
rdadlani
left a comment
There was a problem hiding this comment.
domain lgtm! i'm gonna spend some time later understanding claws better overall :)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds a detection for actions/checkout being used with static credentials. Static credentials are risky because they are difficult to keep track of or rotate in the event of an incident, and even worse, they are typically entirely unauditable. That means during an incident where these credentials may have been leaked (such as in a supply chain attack with a malicious github action in your job) you will not be able to determine if the credential was misused. Even if stored via secrets, static credentials are still just as risky.
This flags
The linked documentation includes messaging on why this is bad as well as several strategies for remediating.