StepSecurity Bot

icon indicating a website link https://www.stepsecurity.io/ icon indicating an email [email protected]

icon company StepSecurity icon location @step-security bot account for creating PRs. Fix GitHub Actions security issues using https://app.stepsecurity.io/securerepo

Results 109 comments of StepSecurity Bot

[KB] Add KB for messense/maturin-action

### Analysis ```yml Action Name: messense/maturin-action Action Type: Node GITHUB_TOKEN Matches: token Top language: TypeScript Stars: 47 Private: false Forks: 14 ``` ### Endpoints Found |Endpoint | Permission| |---------| ----------|...

[KB] Add KB for sequelize/proxy-release-to-open-collective

### Analysis ```yml Action Name: sequelize/proxy-release-to-open-collective Action Type: Node GITHUB_TOKEN Matches: Token Top language: JavaScript Stars: 0 Private: false Forks: 0 ``` ### Endpoints Found |Endpoint | Permission| |---------| ----------|...

[KB] Add KB for simple-elf/allure-report-action

### Analysis ```yml Action Name: simple-elf/allure-report-action Action Type: Docker GITHUB_TOKEN Matches: TOKEN,GITHUB_TOKEN,Token Stars: 56 Private: false Forks: 47 ```

[KB] Add KB for aws-actions/setup-sam

This action's `action.yml` & `README.md` doesn't contains any reference to GITHUB_TOKEN ### action-security.yml ```yaml name: "Setup AWS SAM CLI" # aws-actions/setup-sam # GITHUB_TOKEN not used ```

[KB] Add KB for damccorm/tag-ur-it

### Analysis ```yml Action Name: damccorm/tag-ur-it Action Type: Node GITHUB_TOKEN Matches: repo-token,GITHUB_TOKEN Top language: TypeScript Stars: 22 Private: false Forks: 7 ``` ### Endpoints Found |Endpoint | Permission| |---------| ----------|...

[KB] Add KB for uraimo/run-on-arch-action

### Analysis ```yml Action Name: uraimo/run-on-arch-action Action Type: Node GITHUB_TOKEN Matches: Token,token Top language: Shell Stars: 391 Private: false Forks: 86 ``` #### FollowUp Links. https://github.com/uraimo/run-on-arch-action/blob/d9e985ee32020b12e9cafe5b7d52cf0122bb7609/src/run-on-arch.sh ### action-security.yml

[KB] Add KB for liskin/gh-problem-matcher-wrap

This action's `action.yml` & `README.md` doesn't contains any reference to GITHUB_TOKEN ### action-security.yml ```yaml name: Problem Matcher wrapper (linter errors as annotations even for fork PRs) # liskin/gh-problem-matcher-wrap # GITHUB_TOKEN...

[KB] Add KB for jerray/publish-docker-action

This action's `action.yml` & `README.md` doesn't contains any reference to GITHUB_TOKEN ### action-security.yml ```yaml name: 'Publish Docker Action' # jerray/publish-docker-action # GITHUB_TOKEN not used ```

[KB] Add KB for crazy-max/ghaction-github-runtime

### Analysis ```yml Action Name: crazy-max/ghaction-github-runtime Action Type: Node GITHUB_TOKEN Matches: TOKEN,github-token,Token,token Top language: Dockerfile Stars: 16 Private: false Forks: 4 ``` ### action-security.yml

[KB] Add KB for scottbrenner/cfn-lint-action

This action's `action.yml` & `README.md` doesn't contains any reference to GITHUB_TOKEN ### action-security.yml ```yaml name: "cfn-lint-action" # scottbrenner/cfn-lint-action # GITHUB_TOKEN not used ```