CodeQL library for GitHub Actions
codeql/actions-all 0.4.12 (changelog, source)
Search

Module ConfigExtensions

This module provides extensible predicates for defining MaD models.

Import path

import codeql.actions.config.ConfigExtensions

Predicates

actionsPermissionsDataModel

Holds if action needs permission to run. - ‘action’ is the name of the action without any version information. E.g. for the action selector actions/checkout@v2, action is actions/checkout. - permission is of the form scope-name: read|write, for example contents: read. - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions for an example of recommended permissions. - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.

argumentInjectionSinksDataModel

Holds for arguments to commands that execute the given argument

contextTriggerDataModel

Holds if a context expression starting with context_prefix is available for a given trigger.

externallyTriggerableEventsDataModel

Holds if a given trigger event can be fired by an external actor.

immutableActionsDataModel

Holds for actions that are known to be immutable.

poisonableActionsDataModel

Holds for actions that can be poisoned through local files.

poisonableCommandsDataModel

Holds for strings that match poisonable commands.

poisonableLocalScriptsDataModel

Holds for strings that match poisonable local scripts.

repositoryDataModel

Holds if repository data model exists for the given parameters.

trustedActionsOwnerDataModel

Holds for trusted Actions owners.

untrustedEventPropertiesDataModel

Holds for event properties that can be user-controlled.

untrustedGhCommandDataModel

Holds for gh commands that may introduce untrusted data

untrustedGitCommandDataModel

Holds for git commands that may introduce untrusted data when called on an attacker controlled branch.

vulnerableActionsDataModel

Holds for actions that are known to be vulnerable.

workflowDataModel

Holds if workflow data model exists for the given parameters.