id: github-workflows-disclosure info: name: Github Workflow Disclosure author: dhiyaneshDk,geeknik severity: medium reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json metadata: max-request: 27 tags: exposure,config http: - method: GET path: - "{{BaseURL}}/.github/workflows/ci.yml" - "{{BaseURL}}/.github/workflows/ci.yaml" - "{{BaseURL}}/.github/workflows/CI.yml" - "{{BaseURL}}/.github/workflows/main.yml" - "{{BaseURL}}/.github/workflows/main.yaml" - "{{BaseURL}}/.github/workflows/build.yml" - "{{BaseURL}}/.github/workflows/build.yaml" - "{{BaseURL}}/.github/workflows/test.yml" - "{{BaseURL}}/.github/workflows/test.yaml" - "{{BaseURL}}/.github/workflows/tests.yml" - "{{BaseURL}}/.github/workflows/tests.yaml" - "{{BaseURL}}/.github/workflows/release.yml" - "{{BaseURL}}/.github/workflows/publish.yml" - "{{BaseURL}}/.github/workflows/deploy.yml" - "{{BaseURL}}/.github/workflows/push.yml" - "{{BaseURL}}/.github/workflows/lint.yml" - "{{BaseURL}}/.github/workflows/coverage.yml" - "{{BaseURL}}/.github/workflows/release.yaml" - "{{BaseURL}}/.github/workflows/pr.yml" - "{{BaseURL}}/.github/workflows/automerge.yml" - "{{BaseURL}}/.github/workflows/docker.yml" - "{{BaseURL}}/.github/workflows/ci-generated.yml" - "{{BaseURL}}/.github/workflows/ci-push.yml" - "{{BaseURL}}/.github/workflows/ci-daily.yml" - "{{BaseURL}}/.github/workflows/ci-issues.yml" - "{{BaseURL}}/.github/workflows/smoosh-status.yml" - "{{BaseURL}}/.github/workflows/snyk.yml" matchers-condition: and matchers: - type: regex regex: - "(?m)^\\s*\"?on\"?:" - "(?m)^\\s*\"?jobs\"?:" - "(?m)^\\s*\"?steps\"?:" - "(?m)^\\s*- \"?uses\"?:" part: body condition: and - type: status status: - 200 # digest: 4a0a00473045022100b3ef62cf01e55282edda5ca920c5052bf7660d21c0dfe9a898226bce90f379be02206a691e6a31e4d9ffeca54c5cd541c841c95cab23f0c019fa72537e286103af11:922c64590222798bb761d5b6d8e72950