id: github-workflows-disclosure info: name: Github Workflow Disclosure author: dhiyaneshDk,geeknik severity: medium description: Github Workflow was exposed. reference: - https://github.com/detectify/ugly-duckling/blob/master/modules/crowdsourced/github-workflows-disclosure.json metadata: max-request: 27 tags: exposure,config http: - method: GET path: - "{{BaseURL}}/.github/workflows/ci.yml" - "{{BaseURL}}/.github/workflows/ci.yaml" - "{{BaseURL}}/.github/workflows/CI.yml" - "{{BaseURL}}/.github/workflows/main.yml" - "{{BaseURL}}/.github/workflows/main.yaml" - "{{BaseURL}}/.github/workflows/build.yml" - "{{BaseURL}}/.github/workflows/build.yaml" - "{{BaseURL}}/.github/workflows/test.yml" - "{{BaseURL}}/.github/workflows/test.yaml" - "{{BaseURL}}/.github/workflows/tests.yml" - "{{BaseURL}}/.github/workflows/tests.yaml" - "{{BaseURL}}/.github/workflows/release.yml" - "{{BaseURL}}/.github/workflows/publish.yml" - "{{BaseURL}}/.github/workflows/deploy.yml" - "{{BaseURL}}/.github/workflows/push.yml" - "{{BaseURL}}/.github/workflows/lint.yml" - "{{BaseURL}}/.github/workflows/coverage.yml" - "{{BaseURL}}/.github/workflows/release.yaml" - "{{BaseURL}}/.github/workflows/pr.yml" - "{{BaseURL}}/.github/workflows/automerge.yml" - "{{BaseURL}}/.github/workflows/docker.yml" - "{{BaseURL}}/.github/workflows/ci-generated.yml" - "{{BaseURL}}/.github/workflows/ci-push.yml" - "{{BaseURL}}/.github/workflows/ci-daily.yml" - "{{BaseURL}}/.github/workflows/ci-issues.yml" - "{{BaseURL}}/.github/workflows/smoosh-status.yml" - "{{BaseURL}}/.github/workflows/snyk.yml" matchers-condition: and matchers: - type: regex regex: - "(?m)^\\s*\"?on\"?:" - "(?m)^\\s*\"?jobs\"?:" - "(?m)^\\s*\"?steps\"?:" - "(?m)^\\s*- \"?uses\"?:" part: body condition: and - type: status status: - 200 # digest: 4b0a00483046022100e56df88054a45c73d5b15d61d3086ab4ed3f3fa0de22d3b48a35082287261a96022100d409551a0f0bfb018fdefc89d3eacbdd87f2ccfe512ba252435d994fcb48ff7b:922c64590222798bb761d5b6d8e72950