CICD-SEC-1 — Checkout persists credentials under a privileged trigger

Field	Value
Category	`CICD-SEC-1`
Rule ID	`cicd-sec-1-checkout-persist-credentials`
Severity	MEDIUM
OWASP	CICD-SEC-1: Insufficient Flow Control Mechanisms
Auto-fix	✓

What the check does

Fires only on workflows triggered by pull_request_target or workflow_run. Within those, it flags any actions/checkout step that does not set with: persist-credentials: false. By default actions/checkout writes the job’s token into .git/config so later git commands can authenticate. Under a privileged trigger that token is the powerful base-context token.

Why it matters

pull_request_target and workflow_run run with repository secrets and (often) a writable token. If checkout leaves that token in .git/config and a later step runs untrusted code — a build script from the PR, a third-party action, a make target — that code can read the token straight out of the workspace and use it, even if the workflow never passes the token explicitly. Setting persist-credentials: false removes the token from the workspace after checkout, closing that path.

Vulnerable example

on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4   # token persists in .git/config
      - run: make build             # untrusted target can read it

Safe alternative

on: pull_request_target
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - run: make build

Auto-fix

Pipefort’s --fix adds persist-credentials: false to the checkout step’s with: block (creating the block if needed).

​What the check does

​Why it matters

​Vulnerable example

​Safe alternative

​Auto-fix

What the check does

Why it matters

Vulnerable example

Safe alternative

Auto-fix