| Field | Value |
|---|---|
| Category | CICD-SEC-1 |
| Severity | MEDIUM |
| OWASP | CICD-SEC-1: Insufficient Flow Control |
| Auto-fix | ✗ |
What the check does
Flags anif: condition — at the job or step level — that authorizes logic based
on comparing github.actor or github.triggering_actor to a bot login (a
value ending in [bot]), e.g. if: github.actor == 'dependabot[bot]'.
Why it matters
It’s tempting to gate auto-merge or privileged automation on “is this Dependabot?” by checking the actor. Butgithub.actor /
github.triggering_actor reflect who triggered the run, and across several
trigger contexts (re-runs, workflow_run, manual dispatch, and chained events)
that value is attacker-influenceable. Using it as the sole authorization
control lets an attacker reach logic meant only for the bot — auto-approving or
auto-merging malicious changes.