{"id":15411615,"url":"https://github.com/ooples/script-injection","last_synced_at":"2026-01-19T07:33:25.290Z","repository":{"id":206099598,"uuid":"715834564","full_name":"ooples/script-injection","owner":"ooples","description":null,"archived":false,"fork":false,"pushed_at":"2023-11-08T00:38:05.000Z","size":172,"stargazers_count":2,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-06T16:41:23.492Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ooples.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-07T23:34:01.000Z","updated_at":"2024-07-30T04:12:26.000Z","dependencies_parsed_at":null,"dependency_job_id":"c019b875-0575-45cc-be06-b742f351042f","html_url":"https://github.com/ooples/script-injection","commit_stats":{"total_commits":7,"total_committers":1,"mean_commits":7.0,"dds":0.0,"last_synced_commit":"4c94e1e38f33b1b027771076d75d966a6bdd14ca"},"previous_names":["ooples/script-injection"],"tags_count":0,"template":false,"template_full_name":"githubuniverseworkshops/workflow-script-injection","purl":"pkg:github/ooples/script-injection","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ooples%2Fscript-injection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ooples%2Fscript-injection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ooples%2Fscript-injection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ooples%2Fscript-injection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ooples","download_url":"https://codeload.github.com/ooples/script-injection/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ooples%2Fscript-injection/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28562994,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-19T03:31:16.861Z","status":"ssl_error","status_checked_at":"2026-01-19T03:31:15.069Z","response_time":67,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-01T16:49:38.606Z","updated_at":"2026-01-19T07:33:25.275Z","avatar_url":"https://github.com/ooples.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eUnderstanding the risk of script injection in GitHub Actions workflows\u003c/h1\u003e\n\u003ch5 align=\"center\"\u003e@robandpdx\u003c/h5\u003e\n\u003ch5 align=\"center\"\u003e@decyjphr\u003c/h5\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#mega-prerequisites\"\u003ePrerequisites\u003c/a\u003e •  \n  \u003ca href=\"#books-resources\"\u003eResources\u003c/a\u003e •\n  \u003ca href=\"#learning-objectives\"\u003eLearning Objectives\u003c/a\u003e\n\u003c/p\u003e\n\nIn this workshop we will learn about the risk of script injection in GitHub Actions workflows, and how to mitigate that risk.  \n\n- **Who is this for**: developers, devops engineers\n- **What you'll learn**: the risk of script Injections in GitHub Actions workflows, and how to migirate that risk\n- **What you'll build**: workflows that are not vulnerable to script injection attacks\n\n## Learning Objectives\n\nIn this workshop, you will:\n\n  - Understand Script Injection vulnerabilities in GitHub Actions Workflows\n  - Learn how CodeQL can detect Script Injection in GitHub Actions Workflows\n  - Understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities\n  - Learn how to enhance the detection of vulnerabilties in Workflows using third-party queries\n  - Learn how to fix the Script Injection vulnerabilties in GitHub Actions Workflows\n  - Learn how to use the Codespace for CodeQL to develop custom queries\n  - Learn how to create custom queries to further enhance the protection of GitHub Actions Workflows \n\n## :mega: Prerequisites\nBefore joining the workshop, there are a few items that you will need to install or bring with you.\n- An account on GitHub.com\n- A public repo created from this template repo\n- Enable GitHub Actions in your repository\n- Enable GitHub Advanced Security in your repository\n\n## :bomb: Exercise 1: Script injection in the run command\n\nThere are many issue ops things you can do with GitHub actions. A common use case is request/approval process:\n1. User opens an issue requesting X.\n2. If conditions are met, approval is automatic, and a GitHub actions workflow fulfills the request.\n\nAn example of this is [request-repo-create](https://github.com/robandpdx/request-repo-create).  \n\nIn this example, user input from the issue body is parsed and used in the workflow as the name of the new repository to be created.  \n\nYou should always be careful when using user inputs in your worfklows. User input can come from any of the following sources:\n```\ngithub.event.issue.title  \ngithub.event.issue.body  \ngithub.event.pull_request.title  \ngithub.event.pull_request.body  \ngithub.event.comment.body  \ngithub.event.review.body  \ngithub.event.review_comment.body  \ngithub.event.pages.*.page_name  \ngithub.event.commits.*.message  \ngithub.event.head_commit.message  \ngithub.event.head_commit.author.email  \ngithub.event.head_commit.author.name  \ngithub.event.commits.*.author.email  \ngithub.event.commits.*.author.name  \ngithub.event.pull_request.head.ref  \ngithub.event.pull_request.head.label  \ngithub.event.pull_request.head.repo.default_branch  \ngithub.head_ref  \n```\nThe [Check issue title workflow](.github/workflows/check-issue-title.yml) simply checks if the title (github.event.issue.title) of the workflow begins with `octocat`. If so, the workflow succeeds. If not, the workflow fails.  \n\nThe [Check issue title with action workflow](.github/workflows/check-issue-title-with-action.yml) uses an [action](.github/actions/check-issue-title-action/action.yml) that simply checks if the input of the action begins with `octocat`. If so, the action succeeds. If not, the action fails.  \n\nThis workflow and action above are vulnerable to script injection. Let's find out why they are vulnerable, and how to exploit them.\n[Exercise 1](./exercises/exercise-1.md)  \n\n## :bomb: Exercise 2 - Script injection in github-script action\n\nThe [Check issue comment](.github/workflows/check-issue-comment.yml) workflow simply checks if the issue comment (github.event.comment.body) begins with `octocat`. If so, the workflow succeeds. If not, the workflow fails.  \n\nThis workflow is vulnerable to script injection. Let's find out why it is vulnerable, and how to exploit it.  \n[Exercise 2](./exercises/exercise-2.md)  \n\n## :mag: Exercise 3 - Detect Script Injection using CodeQL\n\nIn CodeQL, code is treated like data. Security vulnerabilities, bugs, and other errors are modeled as queries that can be executed against databases extracted from code. You can run the standard CodeQL queries, written by GitHub researchers and community contributors, or write your own to use in custom analyses. Queries that find potential bugs highlight the result directly in the source file.\n\nIn CodeQL, the `Javascript` language extractor includes support for `YAML` and the libraries support `Actions` framework. GitHub also provides queries for some common CWEs in Actions Workflows. \n\nGitHub Advanced Security uses CodeQL as the tool for Code Scanning. Code Scanning creates security alerts when vulnerabilties are found. These alerts can be viewed in GitHub and can block merges in protected branches. When a developer fixes a vulnerability, GitHub willl automatically close the alert as resolved.\n\nIn the next exercise we will learn how CodeQL can detect Script Injection in GitHub Actions Workflows and understand how GitHub Advanced Security can mitigate Script Injection vulnerabilities in Workflows.\n\n[Exercise 3](./exercises/exercise-3.md)  \n\n## :lock: Exercise 4 - Fixing the script injection vulnerability in the run command\n\nNow let's learn how to mitigate the script injection vulnerability in the run command.  \n[Exercise 4](./exercises/exercise-4.md)\n\n## :lock: Exercise 5 - Fixing the script injection vulnerability in github-script action\n\nNow let's learn how to mitigate the script injection vulnerability in the github-script action.  \n[Exercise 5](./exercises/exercise-5.md)\n\n## :european_castle: Exercise 6 - Enhance the detection of vulnerabilities using third party queries\nWe know CodeQL is a perfect tool for detecting vulnerablities because:\n- It helps us to treat Workflows as code\n- Treat code as data and extract it into a database\n- Look for known vulnerabilities using built-in queries\n- Create custom queries and expand coverage;\n- Use code scanning to create alerts\n- Use actions to block PRs\n- Use deployment protection rules to block jobs\n\nIn the next exercise we will explore how to expand the coverage by using third party queries to detect `unpinned` actions in Workflows.\n \n[Exercise 6](./exercises/exercise-6.md)  \n\n## :european_castle: Exercise 7 - Enhance the detection of vulnerabilities using custom party queries\nIn the next exercise we will explore how to expand the coverage by using custom  queries to detect `improper use of AWS credentials` in Workflows.\n \n[Exercise 7](./exercises/exercise-7.md)  \n## :books: Resources\nYou can learn about script injections at [Understanding the risk of script injections](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n\nYou can learn about security hardening for GitHub Actions at [Security hardening for GitHub Actions](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions)\n\nYou can find examples of CodeQL queries at [CodeQL queries](https://github.com/advanced-security/codeql-queries/)  \n\nYou can find [CodeQL tutorials](https://codeql.github.com/docs/writing-codeql-queries/ql-tutorials/) in our CodeQL documentation. The tutorials introduce concepts that you can use this codespace to practice.\n\nWe also have [CodeQL language guides](https://codeql.github.com/docs/codeql-language-guides/) to help you experiment and learn how to write effective and efficient queries for CodeQL databases generated from the languages supported in CodeQL analysis.\n\nYou can prepare for certification in GitHub Advanced Security and Code Scanning by visiting the [Microsoft Learning Page for Advanced Security](https://learn.microsoft.com/en-us/collections/rqymc6yw8q5rey).\n\nYou can learn about Codespaces at [Codespaces](https://docs.github.com/en/codespaces)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fooples%2Fscript-injection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fooples%2Fscript-injection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fooples%2Fscript-injection/lists"}