id: github-workflows-disclosure info: name: Github Workflow Disclosure author: dhiyaneshDk,geeknik severity: medium description: Github Workflow was exposed. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json metadata: max-request: 27 tags: exposure,config http: - method: GET path: - "{{BaseURL}}{{paths}}" payloads: paths: - "/.github/workflows/ci.yml" - "/.github/workflows/ci.yaml" - "/.github/workflows/CI.yml" - "/.github/workflows/main.yml" - "/.github/workflows/main.yaml" - "/.github/workflows/build.yml" - "/.github/workflows/build.yaml" - "/.github/workflows/test.yml" - "/.github/workflows/test.yaml" - "/.github/workflows/tests.yml" - "/.github/workflows/tests.yaml" - "/.github/workflows/release.yml" - "/.github/workflows/publish.yml" - "/.github/workflows/deploy.yml" - "/.github/workflows/push.yml" - "/.github/workflows/lint.yml" - "/.github/workflows/coverage.yml" - "/.github/workflows/release.yaml" - "/.github/workflows/pr.yml" - "/.github/workflows/automerge.yml" - "/.github/workflows/docker.yml" - "/.github/workflows/ci-generated.yml" - "/.github/workflows/ci-push.yml" - "/.github/workflows/ci-daily.yml" - "/.github/workflows/ci-issues.yml" - "/.github/workflows/smoosh-status.yml" - "/.github/workflows/snyk.yml" matchers-condition: and matchers: - type: regex regex: - "(?m)^\\s*\"?on\"?:" - "(?m)^\\s*\"?jobs\"?:" - "(?m)^\\s*\"?steps\"?:" - "(?m)^\\s*- \"?uses\"?:" part: body condition: and - type: status status: - 200 # digest: 4a0a00473045022050d591898bee5f12a9462fcbb40498633a3b7626f959558b14bdbb5f4560633a022100e5ed474ab233b4d53d96012592ab476b45d81d4876f8640856a3adc56326444f:922c64590222798bb761d5b6d8e72950