Skip to main content
FieldValue
CategoryCICD-SEC-1
SeverityMEDIUM
OWASPCICD-SEC-1: Insufficient Flow Control
Auto-fix

What the check does

Flags an if: condition — at the job or step level — that authorizes logic based on comparing github.actor or github.triggering_actor to a bot login (a value ending in [bot]), e.g. if: github.actor == 'dependabot[bot]'.

Why it matters

It’s tempting to gate auto-merge or privileged automation on “is this Dependabot?” by checking the actor. But github.actor / github.triggering_actor reflect who triggered the run, and across several trigger contexts (re-runs, workflow_run, manual dispatch, and chained events) that value is attacker-influenceable. Using it as the sole authorization control lets an attacker reach logic meant only for the bot — auto-approving or auto-merging malicious changes.

Vulnerable example

jobs:
  automerge:
    if: github.actor == 'dependabot[bot]'   # ← spoofable gate on privileged action
    runs-on: ubuntu-latest
    steps:
      - run: gh pr merge --auto --squash "$PR_URL"

Safe alternative

Authorize on the event and permissions, not the actor login. For Dependabot, gate on the dedicated metadata and trigger, and keep the privileged token out of untrusted contexts:
jobs:
  automerge:
    runs-on: ubuntu-latest
    steps:
      - uses: dependabot/fetch-metadata@<sha> # v2
        id: meta
      - if: steps.meta.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --squash "$PR_URL"
More broadly: verify bot-authored changes by signed commits or the app identity, and require status checks / review (see branch protection) rather than trusting an actor string.