Skip to content

feat(CheckoutWithStaticCredentials): flag actions/checkout use with static credentials#7

Merged
6f6d6172 merged 7 commits into
mainfrom
os-static-credentials
Aug 26, 2025
Merged

feat(CheckoutWithStaticCredentials): flag actions/checkout use with static credentials#7
6f6d6172 merged 7 commits into
mainfrom
os-static-credentials

Conversation

@6f6d6172

Copy link
Copy Markdown
Contributor

This PR adds a detection for actions/checkout being used with static credentials. Static credentials are risky because they are difficult to keep track of or rotate in the event of an incident, and even worse, they are typically entirely unauditable. That means during an incident where these credentials may have been leaked (such as in a supply chain attack with a malicious github action in your job) you will not be able to determine if the credential was misused. Even if stored via secrets, static credentials are still just as risky.

This flags

  • Github Personal Access Tokens (via secrets, org/repo vars, env vars, and hardcoded)
  • SSH Keys (via secrets, org/repo vars, env vars, and hardcoded)

The linked documentation includes messaging on why this is bad as well as several strategies for remediating.

@6f6d6172

Copy link
Copy Markdown
Contributor Author

/task SEC-385

does this work?

@6f6d6172 6f6d6172 requested a review from Copilot August 25, 2025 21:26

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a new security rule to detect the use of static credentials with actions/checkout. The rule identifies potentially risky patterns where static GitHub Personal Access Tokens (PATs) or SSH keys are used for repository checkout operations.

Key changes:

  • Adds detection for static credentials in multiple contexts (secrets, variables, environment variables, hardcoded values)
  • Implements comprehensive test coverage for all credential detection scenarios
  • Provides detailed documentation explaining security risks and remediation strategies

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
lib/claws/rule/checkout_with_static_credentials.rb Core rule implementation with regex patterns to detect static credentials in checkout actions
spec/claws/rule/checkout_with_static_credentials_spec.rb Comprehensive test suite covering all credential detection scenarios
lib/claws/base_rule.rb Adds get_key helper function for accessing hash values safely
lib/claws/rule.rb Registers the new rule in the module system
README.md Documents the rule's purpose, security rationale, and remediation strategies

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread lib/claws/rule/checkout_with_static_credentials.rb Outdated
Comment thread lib/claws/rule/checkout_with_static_credentials.rb Outdated
Comment thread spec/claws/rule/checkout_with_static_credentials_spec.rb

@btrautmann btrautmann left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

domain lgtm

@6f6d6172

Copy link
Copy Markdown
Contributor Author

/no-platform

@6f6d6172 6f6d6172 changed the title Flag actions/checkout used with static credentials feat: CheckoutWithStaticCredentials to flag actions/checkout use with static credentials Aug 26, 2025
@6f6d6172 6f6d6172 changed the title feat: CheckoutWithStaticCredentials to flag actions/checkout use with static credentials feat(CheckoutWithStaticCredentials): flag actions/checkout use with static credentials Aug 26, 2025

@rdadlani rdadlani left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

domain lgtm! i'm gonna spend some time later understanding claws better overall :)

@6f6d6172 6f6d6172 merged commit bc5d969 into main Aug 26, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants