Feature: Fork pull request workflows from outside collaborators

[irsl]

Is your feature request related to a problem? Please describe.

A GitHub workflow that runs on the pull_request trigger from a fork PR uses the workflow file from the fork, not the PR base.

GitHub supports three options for Fork pull request workflows from outside collaborators:

• Require approval for first-time contributors who are new to GitHub
• Require approval for first-time contributors
• Require approval for all outside collaborators

The default setting is insecure: "Require approval for first-time contributors" as an attacker could send an innocent first time contribution first (e.g. typo fix in a documentation page) and then could trigger workflow executions with overridden actions.

The severity is high when the workflow is executed in a non-ephemeral self-hosted runner environment.

Describe the solution you'd like

I'd like scorecard to emit a finding when this config option is set to anything else but "Require approval for all outside collaborators".

Describe alternatives you've considered

Alternative options to defend against this attack vector are:

• The self-hosted runner group could be moved to the organization level and configure the group to only run on specific workflows that have already been committed to the main branch. GitHub docs
• A pre-job hook could be configured to verify whether workflow definitions are intact. Github docs