diff --git a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql index a1499764ef36..b49cfb082254 100644 --- a/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql +++ b/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql @@ -2,9 +2,9 @@ * @name PATH Enviroment Variable built from user-controlled sources * @description Building the PATH environment variable from user-controlled sources may alter the execution of following system commands * @kind path-problem - * @problem.severity warning + * @problem.severity error * @security-severity 5.0 - * @precision high + * @precision medium * @id actions/envpath-injection/medium * @tags actions * security diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql index c9af38a2c507..a3285b2e945e 100644 --- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql @@ -2,9 +2,9 @@ * @name Enviroment Variable built from user-controlled sources * @description Building an environment variable from user-controlled sources may alter the execution of following system commands * @kind path-problem - * @problem.severity warning + * @problem.severity error * @security-severity 5.0 - * @precision high + * @precision medium * @id actions/envvar-injection/medium * @tags actions * security diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql index d2969b7d6e72..4f7e951d7ed6 100644 --- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -3,11 +3,12 @@ * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. * @kind problem * @security-severity 5.0 - * @problem.severity recommendation + * @problem.severity warning * @precision high * @id actions/missing-workflow-permissions * @tags actions * maintainability + * security * external/cwe/cwe-275 */ diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql index c1d22e3a1811..a83685207bc2 100644 --- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql +++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -2,7 +2,8 @@ * @name Excessive Secrets Exposure * @description All organization and repository secrets are passed to the workflow runner. * @kind problem - * @problem.severity recommendation + * @precision high + * @problem.severity warning * @id actions/excessive-secrets-exposure * @tags actions * security diff --git a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql index 992b2aa8c5d4..d2aff7da95ff 100644 --- a/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql +++ b/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql @@ -2,8 +2,8 @@ * @name Artifact poisoning * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps. * @kind path-problem - * @problem.severity warning - * @precision high + * @problem.severity error + * @precision medium * @security-severity 5.0 * @id actions/artifact-poisoning/medium * @tags actions diff --git a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql index de8d3c2078a8..7c31a659c7de 100644 --- a/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql +++ b/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql @@ -3,8 +3,8 @@ * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack. * @kind problem * @security-severity 5.0 - * @problem.severity recommendation - * @precision high + * @problem.severity warning + * @precision medium * @id actions/unpinned-tag * @tags security * actions diff --git a/actions/ql/src/change-notes/2025-02-06-curate-suites.md b/actions/ql/src/change-notes/2025-02-06-curate-suites.md new file mode 100644 index 000000000000..8845e52f8f5a --- /dev/null +++ b/actions/ql/src/change-notes/2025-02-06-curate-suites.md @@ -0,0 +1,20 @@ +--- +category: breaking +--- +* The following queries have been removed from the `code-scanning` and `security-extended` suites. + Any existing alerts for these queries will be closed automatically. + * `actions/if-expression-always-true/critical` + * `actions/if-expression-always-true/high` + * `actions/unnecessary-use-of-advanced-config` + +* The following query has been moved from the `code-scanning` suite to the `security-extended` + suite. Any existing alerts for this query will be closed automatically unless the analysis is + configured to use the `security-extended` suite. + * `actions/unpinned-tag` +* The following queries have been added to the `security-extended` suite. + * `actions/unversioned-immutable-action` + * `actions/envpath-injection/medium` + * `actions/envvar-injection/medium` + * `actions/code-injection/medium` + * `actions/artifact-poisoning/medium` + * `actions/untrusted-checkout/medium` diff --git a/actions/ql/src/codeql-suites/actions-code-scanning.qls b/actions/ql/src/codeql-suites/actions-code-scanning.qls index 4cfe07484d96..13839cea05f6 100644 --- a/actions/ql/src/codeql-suites/actions-code-scanning.qls +++ b/actions/ql/src/codeql-suites/actions-code-scanning.qls @@ -1,11 +1,4 @@ - description: Standard Code Scanning queries for GitHub Actions -- queries: '.' -- include: - problem.severity: - - error - - recommendation -- exclude: - tags contain: - - experimental - - debug - - internal +- queries: . +- apply: code-scanning-selectors.yml + from: codeql/suite-helpers diff --git a/actions/ql/src/codeql-suites/actions-security-extended.qls b/actions/ql/src/codeql-suites/actions-security-extended.qls index 07276d22dfc8..79528a92e1a2 100644 --- a/actions/ql/src/codeql-suites/actions-security-extended.qls +++ b/actions/ql/src/codeql-suites/actions-security-extended.qls @@ -1,2 +1,4 @@ - description: Security-extended queries for GitHub Actions -- import: codeql-suites/actions-code-scanning.qls +- queries: . +- apply: security-extended-selectors.yml + from: codeql/suite-helpers