> ## Documentation Index
> Fetch the complete documentation index at: https://docs.pipefort.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CICD-SEC-1 — Security decision based on a spoofable actor check

> Gating privileged logic on github.actor compared to a bot login is spoofable.

| Field    | Value                                                                                                                                               |
| -------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| Category | `CICD-SEC-1`                                                                                                                                        |
| Severity | **MEDIUM**                                                                                                                                          |
| OWASP    | [CICD-SEC-1: Insufficient Flow Control](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-01-Insufficient-Flow-Control-Mechanisms) |
| Auto-fix | ✗                                                                                                                                                   |

## What the check does

Flags an `if:` condition — at the job or step level — that authorizes logic based
on comparing `github.actor` or `github.triggering_actor` to a **bot login** (a
value ending in `[bot]`), e.g. `if: github.actor == 'dependabot[bot]'`.

## Why it matters

It's tempting to gate auto-merge or privileged automation on "is this
Dependabot?" by checking the actor. But `github.actor` /
`github.triggering_actor` reflect *who triggered the run*, and across several
trigger contexts (re-runs, `workflow_run`, manual dispatch, and chained events)
that value is attacker-influenceable. Using it as the **sole** authorization
control lets an attacker reach logic meant only for the bot — auto-approving or
auto-merging malicious changes.

## Vulnerable example

```yaml theme={null}
jobs:
  automerge:
    if: github.actor == 'dependabot[bot]'   # ← spoofable gate on privileged action
    runs-on: ubuntu-latest
    steps:
      - run: gh pr merge --auto --squash "$PR_URL"
```

## Safe alternative

Authorize on the **event and permissions**, not the actor login. For Dependabot,
gate on the dedicated metadata and trigger, and keep the privileged token out of
untrusted contexts:

```yaml theme={null}
jobs:
  automerge:
    runs-on: ubuntu-latest
    steps:
      - uses: dependabot/fetch-metadata@<sha> # v2
        id: meta
      - if: steps.meta.outputs.update-type == 'version-update:semver-patch'
        run: gh pr merge --auto --squash "$PR_URL"
```

More broadly: verify bot-authored changes by signed commits or the app identity,
and require status checks / review (see [branch protection](/rules/cicd-sec-1-bp-missing))
rather than trusting an actor string.
