Skip to content
This repository was archived by the owner on Jun 25, 2026. It is now read-only.

Commit 070b5c0

Browse files
authored
Update checkout-pr-on-issue-comment.yaml
1 parent 76128b0 commit 070b5c0

1 file changed

Lines changed: 1 addition & 37 deletions

File tree

rules/src/github-actions/checkout-pr-on-issue-comment.yaml

Lines changed: 1 addition & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -49,43 +49,7 @@ rules:
4949
likelihood: MEDIUM
5050
impact: HIGH
5151
confidence: MEDIUM
52-
53-
- id: publish-actions-cache-used
54-
languages:
55-
- yaml
56-
severity: WARNING
57-
metadata:
58-
category: security
59-
cwe:
60-
- "CWE-494: Download of Code Without Integrity Check"
61-
owasp:
62-
- A08:2021 - Software and Data Integrity Failures
63-
references:
64-
- https://github.com/MetaMask/MetaMask-planning/issues/3925
65-
technology:
66-
- github-actions
67-
- actions/cache
68-
cwe2022-top25: true
69-
cwe2021-top25: true
70-
subcategory:
71-
- audit
72-
likelihood: MEDIUM
73-
impact: HIGH
74-
confidence: MEDIUM
75-
tags: [security]
76-
shortDescription: Potential cache poisoning risk by using `actions/cache` in a publishing workflow.
77-
help: |
78-
## Remediation
79-
We recommend avoiding using `actions/cache` if this workflow publishes a release or has access to sensitive secrets.
80-
If caching is required, please see https://github.com/MetaMask/MetaMask-planning/issues/3925 for a workaround.
81-
message: >-
82-
Using GitHub's Action Cache in publishing workflows, especially in open source repositories, can be dangerous. See
83-
https://github.com/MetaMask/MetaMask-planning/issues/3925 for more details and alternative recommendations.
84-
patterns:
85-
- pattern: "uses: $ACTION_NAME"
86-
- metavariable-regex:
87-
metavariable: $ACTION_NAME
8852
regex: actions/cache@.+
8953
paths:
9054
include:
91-
- ".github/**/*publish*.yml"
55+
- ".github/**/*publish*.yml"

0 commit comments

Comments
 (0)