id: github-workflows-disclosure

info:
  name: Github Workflow Disclosure
  author: dhiyaneshDk,geeknik
  severity: medium
  reference:
    - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json
  tags: exposure,config

requests:
  - method: GET
    path:
      - "{{BaseURL}}/.github/workflows/ci.yml"
      - "{{BaseURL}}/.github/workflows/ci.yaml"
      - "{{BaseURL}}/.github/workflows/CI.yml"
      - "{{BaseURL}}/.github/workflows/main.yml"
      - "{{BaseURL}}/.github/workflows/main.yaml"
      - "{{BaseURL}}/.github/workflows/build.yml"
      - "{{BaseURL}}/.github/workflows/build.yaml"
      - "{{BaseURL}}/.github/workflows/test.yml"
      - "{{BaseURL}}/.github/workflows/test.yaml"
      - "{{BaseURL}}/.github/workflows/tests.yml"
      - "{{BaseURL}}/.github/workflows/tests.yaml"
      - "{{BaseURL}}/.github/workflows/release.yml"
      - "{{BaseURL}}/.github/workflows/publish.yml"
      - "{{BaseURL}}/.github/workflows/deploy.yml"
      - "{{BaseURL}}/.github/workflows/push.yml"
      - "{{BaseURL}}/.github/workflows/lint.yml"
      - "{{BaseURL}}/.github/workflows/coverage.yml"
      - "{{BaseURL}}/.github/workflows/release.yaml"
      - "{{BaseURL}}/.github/workflows/pr.yml"
      - "{{BaseURL}}/.github/workflows/automerge.yml"
      - "{{BaseURL}}/.github/workflows/docker.yml"
      - "{{BaseURL}}/.github/workflows/ci-generated.yml"
      - "{{BaseURL}}/.github/workflows/ci-push.yml"
      - "{{BaseURL}}/.github/workflows/ci-daily.yml"
      - "{{BaseURL}}/.github/workflows/ci-issues.yml"
      - "{{BaseURL}}/.github/workflows/smoosh-status.yml"
      - "{{BaseURL}}/.github/workflows/snyk.yml"

    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "(?m)^\\s*\"?on\"?:"
          - "(?m)^\\s*\"?jobs\"?:"
          - "(?m)^\\s*\"?steps\"?:"
          - "(?m)^\\s*- \"?uses\"?:"
        part: body
        condition: and

      - type: status
        status:
          - 200