diff --git a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md index cc35402b804d..5d2c61150972 100644 --- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md +++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md @@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v ### Exploitation -An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. +An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc. ## References diff --git a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql index aedf65bc564e..a8bd8a5f93dc 100644 --- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql +++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql @@ -1,6 +1,6 @@ /** * @name Workflow does not contain permissions - * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow. + * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN. * @kind problem * @security-severity 5.0 * @problem.severity warning diff --git a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql index a83685207bc2..1a01033c5676 100644 --- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql +++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql @@ -3,6 +3,7 @@ * @description All organization and repository secrets are passed to the workflow runner. * @kind problem * @precision high + * @security-severity 5.0 * @problem.severity warning * @id actions/excessive-secrets-exposure * @tags actions diff --git a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md index 6c681856a7b3..c33b89fdcec6 100644 --- a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md +++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md @@ -2,11 +2,11 @@ ## Description -Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered. +Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered. ## Recommendations -Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner. +Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner. ## Examples diff --git a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md new file mode 100644 index 000000000000..c59e1eb9db33 --- /dev/null +++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md @@ -0,0 +1,4 @@ +--- +category: fix +--- +* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`. \ No newline at end of file diff --git a/docs/codeql/reusables/supported-versions-compilers.rst b/docs/codeql/reusables/supported-versions-compilers.rst index 7d5a9bdb34ab..bbefaf79ccef 100644 --- a/docs/codeql/reusables/supported-versions-compilers.rst +++ b/docs/codeql/reusables/supported-versions-compilers.rst @@ -16,7 +16,7 @@ .NET Core up to 3.1 .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``" - GitHub Actions [12]_,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``" + GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``" Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go`` Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK), @@ -41,4 +41,3 @@ .. [9] Requires glibc 2.17. .. [10] Support for the analysis of Swift requires macOS. .. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default. - .. [12] Support for GitHub Actions is in public preview.