Skip to content

fix(GHA): Avoid some actions in forks #12354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 2, 2025
Merged

fix(GHA): Avoid some actions in forks #12354

merged 1 commit into from
May 2, 2025

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Apr 30, 2025

Disable execution of specific GHA in forks.
They would just fail, and it just generates noise.

@dryrunsecurity DryRunSecurity
Copy link

DryRun Security

This pull request focuses on enhancing GitHub Actions security by implementing repository-specific restrictions that limit workflow execution, deployment, and notifications to the main repository, thereby preventing unauthorized actions in forked repositories and improving overall access control.

💭 Unconfirmed Findings (4)
Vulnerability Workflow Repository Restrictions
Description GitHub Actions workflows were modified to add repository-specific conditions for deployment and notification workflows, ensuring that actions are only executed in the main DefectDojo repository, preventing unauthorized actions in forked repositories.
Vulnerability Deployment Limitation
Description Implemented a mechanism to prevent documentation deployment in forked repositories, enhancing security and controlling workflow execution.
Vulnerability Notification Control
Description Limited Slack PR reminder notifications to the core repository, reducing unnecessary communication and potential information leakage in forked repositories.
Vulnerability Access Control Enhancement
Description Added repository-level access control mechanisms to restrict workflow actions and improve overall security of the GitHub Actions workflows.

All finding details can be found in the DryRun Security Dashboard.

@Maffooch Maffooch added this to the 2.46.0 milestone Apr 30, 2025
mtesauro
mtesauro approved these changes May 2, 2025
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@mtesauro mtesauro merged commit dfa5304 into DefectDojo:bugfix May 2, 2025
76 checks passed
@kiblik kiblik deleted the gha_not_in_fork branch May 2, 2025 06:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mtesauro mtesauro mtesauro approved these changes

@dogboat dogboat dogboat approved these changes

@hblankenship hblankenship hblankenship approved these changes

@Maffooch Maffooch Maffooch approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.46.0
Development

Successfully merging this pull request may close these issues.
5 participants
@kiblik @mtesauro @dogboat @hblankenship @Maffooch